recording cvs-1.6 file death

This commit is contained in:
Peter Wemm
1995-12-30 19:02:48 +00:00
parent df2fbf15a2
commit a5b996a7ec
1393 changed files with 0 additions and 403774 deletions
-49
View File
@@ -1,49 +0,0 @@
$Id$
This file lists hardware, which doesn't do what it should do.
Due to the nature of FreeBSD, we do not have the resources to test all
possible kinds of hardware. We do however every now and then find, buy
or hear about hardware which doesn't work with FreeBSD or in general.
This is that list.
To be added to this list, a piece of hardware has to:
A: not do what it claims.
or
B: not do what common sense would expect it to.
Only if performance claims are wildly of the mark will it be listed here.
All entries must have a date and a mail-address associated with them, to
reflect when and by whom they were added.
For multifunctional devices, please indicate if other parts of the device
work OK, or are untested.
For mutual incompabilities, list both devices.
For SCSI and IDE-devices, list the string seen on boot of FreeBSD, if
possible, and trade name.
Infer format from other entries, Keep sorted by first line.
Thankyou.
---
Controller, Data Technology DTC2280, "PC/AT Super I/O Card"
IDE interface can be set to secondary address, but doesn't work there. Suspect
Interrupt isn't moved along. Works fine on primary address. Other parts of
card not tested.
19940828 phk@freefall.cdrom.com
---
IDE-disk, <Maxtor 7345 AT>, "Maxtor 7345"
Cannot coexist on the same IDE-controller with a <WDC AC2540H>, "Western
Digital Caviar 2540" disk. Jumpers not exhaustively experimented with, as
neither of the companies make sufficient information available. Disk works
fine when alone on IDE-controller.
19940828 phk@freefall.cdrom.com
---
IDE-disk, <WDC AC2540H>, "Western Digital Caviar 2540"
Cannot coexist on the same IDE-controller with a <Maxtor 7345 AT>, "Maxtor
7345" disk. Jumpers not exhaustively experimented with, as neither of the
companies make sufficient information available. Disk works fine when alone
on IDE-controller.
19940828 phk@freefall.cdrom.com
---
-69
View File
@@ -1,69 +0,0 @@
-----------------------------------------
FreeBSD 2.0 --- ALPHA Release , ,
----------------------------------------- /( )`
\ \___ / |
Welcome to the ALPHA release of FreeBSD 2.0 - the /- _ `-/ '
first public snapshot of our new 4.4BSD Lite based (/\/ \ \ /\
operating system environment. This install proce- / / | ` \
dure is also at the ALPHA stage, and contains only O O ) / |
the minimum functionality required by an `-^--'`< '
*EXPERIENCED* person to install the system. (_.) _ ) /
It is our hope, of course, that the feedback `.___/` /
provided from this snapshot will `-----' /
greatly assist us in making the release <----. __ / __ \
of 2.0 much more user friendly. Your <----|====O)))==) \) /====
comments and criticisms are very <----' `--' `.__,' \
valuable to us, so please don't hesitate | |
in contacting us! Full details on where and \ / /\
how to provide feedback are given below. ______( (_ / \______/
,' ,-----' |
This install procedure is ALPHA code, and `--{__________)
may very possibly *DESTROY* the contents of your
ENTIRE DISK! Please do not proceed with this installation
unless you've adequately backed up your data first!
If any errors occur during this installation, you can see them
by toggling over to the alternate screen - type ALT-F2 to switch
over, ALT-F1 to switch back to the install screen. The debugging
output on the second screen may be very valuable to us in understanding
your bug report, so please be sure to take note of it when reporting
any failures in the installation! Thanks!
Menus and scrolling output windows may be traversed with the arrow
and Page Up/Page Down keys. To suspend the installation at any point,
hit ESC twice. Hitting TAB will move the focus to different controls.
If you've ever dealt with a DOS installation, you'll know how to deal
with this.
For a more complete description of what's new in this release, please
see the release notes.
For more documentation on this system, it is recommended that you purchase
the 4.4BSD Document Set from O'Reilly Associates and the USENIX Association.
ISBN 1-56592-082-1 We have no connection with O'Reilly, we're just
satisfied customers!
Have fun, and please let us know of any problems you encounter with
this release!
Comments should be sent to:
hackers@FreeBSD.org
Bug reports should be sent using the `send-pr' utility, if you
were able to get the system installed, otherwise to:
bugs@FreeBSD.org
And general questions to:
questions@FreeBSD.org
Please have patience if your questions are not answered right away -
this is an especially busy time for us, and our volunteer resources
are often strained to the limit (if not somewhat past!).
Thanks!
The FreeBSD Project
-14
View File
@@ -1,14 +0,0 @@
# From: @(#)Makefile 5.1 (Berkeley) 6/25/90
# $Id: Makefile,v 1.4 1995/07/18 16:34:47 mark Exp $
LIB= acl
SHLIB_MAJOR= 2
SHLIB_MINOR= 0
CFLAGS+=-DDEBUG -DKERBEROS -I${.CURDIR}/../include -Wall
SRCS= acl_files.c
MAN3= acl_check.3
MLINKS= acl_check.3 acl_canonicalize_principal.3 \
acl_check.3 acl_exact_match.3 acl_check.3 acl_add.3 \
acl_check.3 acl_delete.3 acl_check.3 acl_initialize.3
.include <bsd.lib.mk>
-183
View File
@@ -1,183 +0,0 @@
.\" from: acl_check.3,v 4.1 89/01/23 11:06:54 jtkohl Exp $
.\" $Id: acl_check.3,v 1.1.1.1 1994/09/30 14:50:05 csgr Exp $
.\" Copyright 1989 by the Massachusetts Institute of Technology.
.\"
.\" For copying and distribution information,
.\" please see the file <Copyright.MIT>.
.\"
.TH ACL_CHECK 3 "Kerberos Version 4.0" "MIT Project Athena"
.SH NAME
acl_canonicalize_principal, acl_check, acl_exact_match, acl_add,
acl_delete, acl_initialize \- Access control list routines
.SH SYNOPSIS
.nf
.nj
.ft B
cc <files> \-lacl \-lkrb
.PP
.ft B
#include <kerberosIV/krb.h>
.PP
.ft B
acl_canonicalize_principal(principal, buf)
char *principal;
char *buf;
.PP
.ft B
acl_check(acl, principal)
char *acl;
char *principal;
.PP
.ft B
acl_exact_match(acl, principal)
char *acl;
char *principal;
.PP
.ft B
acl_add(acl, principal)
char *acl;
char *principal;
.PP
.ft B
acl_delete(acl, principal)
char *acl;
char *principal;
.PP
.ft B
acl_initialize(acl_file, mode)
char *acl_file;
int mode;
.fi
.ft R
.SH DESCRIPTION
.SS Introduction
.PP
An access control list (ACL) is a list of principals, where each
principal is represented by a text string which cannot contain
whitespace. The library allows application programs to refer to named
access control lists to test membership and to atomically add and
delete principals using a natural and intuitive interface. At
present, the names of access control lists are required to be Unix
filenames, and refer to human-readable Unix files; in the future, when
a networked ACL server is implemented, the names may refer to a
different namespace specific to the ACL service.
.PP
.SS Principal Names
.PP
Principal names have the form
.nf
.in +5n
<name>[.<instance>][@<realm>]
.in -5n
e.g.:
.in +5n
asp
asp.root
asp@ATHENA.MIT.EDU
asp.@ATHENA.MIT.EDU
asp.root@ATHENA.MIT.EDU
.in -5n
.fi
It is possible for principals to be underspecified. If an instance is
missing, it is assumed to be "". If realm is missing, it is assumed
to be the local realm as determined by
.IR krb_get_lrealm (3).
The canonical form contains all of name, instance,
and realm; the acl_add and acl_delete routines will always
leave the file in that form. Note that the canonical form of
asp@ATHENA.MIT.EDU is actually asp.@ATHENA.MIT.EDU.
.SS Routines
.PP
.I acl_canonicalize_principal
stores the canonical form of
.I principal
in
.IR buf .
.I Buf
must contain enough
space to store a principal, given the limits on the sizes of name,
instance, and realm specified as ANAME_SZ, INST_SZ, and REALM_SZ,
respectively, in
.IR /usr/include/kerberosIV/krb.h .
.PP
.I acl_check
returns nonzero if
.I principal
appears in
.IR acl .
Returns 0 if principal
does not appear in acl, or if an error occurs. Canonicalizes
principal before checking, and allows the ACL to contain wildcards. The
only supported wildcards are entries of the form
name.*@realm, *.*@realm, and *.*@*. An asterisk matches any value for the
its component field. For example, "jtkohl.*@*" would match principal
jtkohl, with any instance and any realm.
.PP
.I acl_exact_match
performs like
.IR acl_check ,
but does no canonicalization or wildcard matching.
.PP
.I acl_add
atomically adds
.I principal
to
.IR acl .
Returns 0 if successful, nonzero otherwise. It is considered a failure
if
.I principal
is already in
.IR acl .
This routine will canonicalize
.IR principal ,
but will treat wildcards literally.
.PP
.I acl_delete
atomically deletes
.I principal
from
.IR acl .
Returns 0 if successful,
nonzero otherwise. It is considered a failure if
.I principal
is not
already in
.IR acl .
This routine will canonicalize
.IR principal ,
but will treat wildcards literally.
.PP
.I acl_initialize
initializes
.IR acl_file .
If the file
.I acl_file
does not exist,
.I acl_initialize
creates it with mode
.IR mode .
If the file
.I acl_file
exists,
.I acl_initialize
removes all members. Returns 0 if successful,
nonzero otherwise. WARNING: Mode argument is likely to change with
the eventual introduction of an ACL service.
.SH NOTES
In the presence of concurrency, there is a very small chance that
.I acl_add
or
.I acl_delete
could report success even though it would have
had no effect. This is a necessary side effect of using lock files
for concurrency control rather than flock(2), which is not supported
by NFS.
.PP
The current implementation caches ACLs in memory in a hash-table
format for increased efficiency in checking membership; one effect of
the caching scheme is that one file descriptor will be kept open for
each ACL cached, up to a maximum of 8.
.SH SEE ALSO
kerberos(3), krb_get_lrealm(3)
.SH AUTHOR
James Aspnes (MIT Project Athena)
-555
View File
@@ -1,555 +0,0 @@
/*
*
* Copyright 1987,1989 by the Massachusetts Institute of Technology.
*
* For copying and distribution information, please see the file
* <mit-copyright.h>.
*
* from: acl_files.c,v 4.4 89/12/19 13:30:53 jtkohl Exp $
* $Id: acl_files.c,v 1.3 1995/07/18 16:34:49 mark Exp $
*/
#if 0
#ifndef lint
static char rcsid[] =
"$Id: acl_files.c,v 1.3 1995/07/18 16:34:49 mark Exp $";
#endif lint
#endif
/*** Routines for manipulating access control list files ***/
#include <unistd.h>
#include <stdlib.h>
#include <stdio.h>
#include <strings.h>
#include <sys/file.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <sys/errno.h>
#include <ctype.h>
#include "krb.h"
__BEGIN_DECLS
static int acl_abort __P((char *, FILE *));
__END_DECLS
#ifndef KRB_REALM
#define KRB_REALM "ATHENA.MIT.EDU"
#endif
/* "aname.inst@realm" */
#define MAX_PRINCIPAL_SIZE (ANAME_SZ + INST_SZ + REALM_SZ + 3)
#define INST_SEP '.'
#define REALM_SEP '@'
#define LINESIZE 2048 /* Maximum line length in an acl file */
#define NEW_FILE "%s.~NEWACL~" /* Format for name of altered acl file */
#define WAIT_TIME 300 /* Maximum time allowed write acl file */
#define CACHED_ACLS 8 /* How many acls to cache */
/* Each acl costs 1 open file descriptor */
#define ACL_LEN 16 /* Twice a reasonable acl length */
#define MAX(a,b) (((a)>(b))?(a):(b))
#define MIN(a,b) (((a)<(b))?(a):(b))
#define COR(a,b) ((a!=NULL)?(a):(b))
/* Canonicalize a principal name */
/* If instance is missing, it becomes "" */
/* If realm is missing, it becomes the local realm */
/* Canonicalized form is put in canon, which must be big enough to hold
MAX_PRINCIPAL_SIZE characters */
void
acl_canonicalize_principal(principal, canon)
char *principal;
char *canon;
{
char *dot, *atsign, *end;
int len;
dot = index(principal, INST_SEP);
atsign = index(principal, REALM_SEP);
/* Maybe we're done already */
if(dot != NULL && atsign != NULL) {
if(dot < atsign) {
/* It's for real */
/* Copy into canon */
strncpy(canon, principal, MAX_PRINCIPAL_SIZE);
canon[MAX_PRINCIPAL_SIZE-1] = '\0';
return;
} else {
/* Nope, it's part of the realm */
dot = NULL;
}
}
/* No such luck */
end = principal + strlen(principal);
/* Get the principal name */
len = MIN(ANAME_SZ, COR(dot, COR(atsign, end)) - principal);
strncpy(canon, principal, len);
canon += len;
/* Add INST_SEP */
*canon++ = INST_SEP;
/* Get the instance, if it exists */
if(dot != NULL) {
++dot;
len = MIN(INST_SZ, COR(atsign, end) - dot);
strncpy(canon, dot, len);
canon += len;
}
/* Add REALM_SEP */
*canon++ = REALM_SEP;
/* Get the realm, if it exists */
/* Otherwise, default to local realm */
if(atsign != NULL) {
++atsign;
len = MIN(REALM_SZ, end - atsign);
strncpy(canon, atsign, len);
canon += len;
*canon++ = '\0';
} else if(krb_get_lrealm(canon, 1) != KSUCCESS) {
strcpy(canon, KRB_REALM);
}
}
/* Get a lock to modify acl_file */
/* Return new FILE pointer */
/* or NULL if file cannot be modified */
/* REQUIRES WRITE PERMISSION TO CONTAINING DIRECTORY */
static FILE *
acl_lock_file(acl_file)
char *acl_file;
{
struct stat s;
char new[LINESIZE];
int nfd;
FILE *nf;
int mode;
if(stat(acl_file, &s) < 0) return(NULL);
mode = s.st_mode;
sprintf(new, NEW_FILE, acl_file);
for(;;) {
/* Open the new file */
if((nfd = open(new, O_WRONLY|O_CREAT|O_EXCL, mode)) < 0) {
if(errno == EEXIST) {
/* Maybe somebody got here already, maybe it's just old */
if(stat(new, &s) < 0) return(NULL);
if(time(0) - s.st_ctime > WAIT_TIME) {
/* File is stale, kill it */
unlink(new);
continue;
} else {
/* Wait and try again */
sleep(1);
continue;
}
} else {
/* Some other error, we lose */
return(NULL);
}
}
/* If we got to here, the lock file is ours and ok */
/* Reopen it under stdio */
if((nf = fdopen(nfd, "w")) == NULL) {
/* Oops, clean up */
unlink(new);
}
return(nf);
}
}
/* Commit changes to acl_file written onto FILE *f */
/* Returns zero if successful */
/* Returns > 0 if lock was broken */
/* Returns < 0 if some other error occurs */
/* Closes f */
static int
acl_commit(acl_file, f)
char *acl_file;
FILE *f;
{
char new[LINESIZE];
int ret;
struct stat s;
sprintf(new, NEW_FILE, acl_file);
if(fflush(f) < 0
|| fstat(fileno(f), &s) < 0
|| s.st_nlink == 0) {
acl_abort(acl_file, f);
return(-1);
}
ret = rename(new, acl_file);
fclose(f);
return(ret);
}
/*
* Abort changes to acl_file written onto FILE *f
* Returns 0 if successful, < 0 otherwise
* Closes f
*/
static int
acl_abort(acl_file, f)
char *acl_file;
FILE *f;
{
char new[LINESIZE];
int ret;
struct stat s;
/* make sure we aren't nuking someone else's file */
if(fstat(fileno(f), &s) < 0 || s.st_nlink == 0) {
fclose(f);
return(-1);
} else {
sprintf(new, NEW_FILE, acl_file);
ret = unlink(new);
fclose(f);
return(ret);
}
}
/* Initialize an acl_file */
/* Creates the file with permissions perm if it does not exist */
/* Erases it if it does */
/* Returns return value of acl_commit */
int
acl_initialize(acl_file, perm)
char *acl_file;
int perm;
{
FILE *new;
int fd;
/* Check if the file exists already */
if((new = acl_lock_file(acl_file)) != NULL) {
return(acl_commit(acl_file, new));
} else {
/* File must be readable and writable by owner */
if((fd = open(acl_file, O_CREAT|O_EXCL, perm|0600)) < 0) {
return(-1);
} else {
close(fd);
return(0);
}
}
}
/* Eliminate all whitespace character in buf */
/* Modifies its argument */
static void
nuke_whitespace(buf)
char *buf;
{
register char *pin, *pout;
for(pin = pout = buf; *pin != '\0'; pin++)
if(!isspace(*pin)) *pout++ = *pin;
*pout = '\0'; /* Terminate the string */
}
/* Hash table stuff */
struct hashtbl {
int size; /* Max number of entries */
int entries; /* Actual number of entries */
char **tbl; /* Pointer to start of table */
};
/* Make an empty hash table of size s */
static struct hashtbl *
make_hash(size)
int size;
{
struct hashtbl *h;
if(size < 1) size = 1;
h = (struct hashtbl *) malloc(sizeof(struct hashtbl));
h->size = size;
h->entries = 0;
h->tbl = (char **) calloc(size, sizeof(char *));
return(h);
}
/* Destroy a hash table */
static void
destroy_hash(h)
struct hashtbl *h;
{
int i;
for(i = 0; i < h->size; i++) {
if(h->tbl[i] != NULL) free(h->tbl[i]);
}
free(h->tbl);
free(h);
}
/* Compute hash value for a string */
static unsigned
hashval(s)
register char *s;
{
register unsigned hv;
for(hv = 0; *s != '\0'; s++) {
hv ^= ((hv << 3) ^ *s);
}
return(hv);
}
/* Add an element to a hash table */
static void
add_hash(h, el)
struct hashtbl *h;
char *el;
{
unsigned hv;
char *s;
char **old;
int i;
/* Make space if it isn't there already */
if(h->entries + 1 > (h->size >> 1)) {
old = h->tbl;
h->tbl = (char **) calloc(h->size << 1, sizeof(char *));
for(i = 0; i < h->size; i++) {
if(old[i] != NULL) {
hv = hashval(old[i]) % (h->size << 1);
while(h->tbl[hv] != NULL) hv = (hv+1) % (h->size << 1);
h->tbl[hv] = old[i];
}
}
h->size = h->size << 1;
free(old);
}
hv = hashval(el) % h->size;
while(h->tbl[hv] != NULL && strcmp(h->tbl[hv], el)) hv = (hv+1) % h->size;
s = malloc(strlen(el)+1);
strcpy(s, el);
h->tbl[hv] = s;
h->entries++;
}
/* Returns nonzero if el is in h */
static int
check_hash(h, el)
struct hashtbl *h;
char *el;
{
unsigned hv;
for(hv = hashval(el) % h->size;
h->tbl[hv] != NULL;
hv = (hv + 1) % h->size) {
if(!strcmp(h->tbl[hv], el)) return(1);
}
return(0);
}
struct acl {
char filename[LINESIZE]; /* Name of acl file */
int fd; /* File descriptor for acl file */
struct stat status; /* File status at last read */
struct hashtbl *acl; /* Acl entries */
};
static struct acl acl_cache[CACHED_ACLS];
static int acl_cache_count = 0;
static int acl_cache_next = 0;
/* Returns < 0 if unsuccessful in loading acl */
/* Returns index into acl_cache otherwise */
/* Note that if acl is already loaded, this is just a lookup */
static int
acl_load(name)
char *name;
{
int i;
FILE *f;
struct stat s;
char buf[MAX_PRINCIPAL_SIZE];
char canon[MAX_PRINCIPAL_SIZE];
/* See if it's there already */
for(i = 0; i < acl_cache_count; i++) {
if(!strcmp(acl_cache[i].filename, name)
&& acl_cache[i].fd >= 0) goto got_it;
}
/* It isn't, load it in */
/* maybe there's still room */
if(acl_cache_count < CACHED_ACLS) {
i = acl_cache_count++;
} else {
/* No room, clean one out */
i = acl_cache_next;
acl_cache_next = (acl_cache_next + 1) % CACHED_ACLS;
close(acl_cache[i].fd);
if(acl_cache[i].acl) {
destroy_hash(acl_cache[i].acl);
acl_cache[i].acl = (struct hashtbl *) 0;
}
}
/* Set up the acl */
strcpy(acl_cache[i].filename, name);
if((acl_cache[i].fd = open(name, O_RDONLY, 0)) < 0) return(-1);
/* Force reload */
acl_cache[i].acl = (struct hashtbl *) 0;
got_it:
/*
* See if the stat matches
*
* Use stat(), not fstat(), as the file may have been re-created by
* acl_add or acl_delete. If this happens, the old inode will have
* no changes in the mod-time and the following test will fail.
*/
if(stat(acl_cache[i].filename, &s) < 0) return(-1);
if(acl_cache[i].acl == (struct hashtbl *) 0
|| s.st_nlink != acl_cache[i].status.st_nlink
|| s.st_mtime != acl_cache[i].status.st_mtime
|| s.st_ctime != acl_cache[i].status.st_ctime) {
/* Gotta reload */
if(acl_cache[i].fd >= 0) close(acl_cache[i].fd);
if((acl_cache[i].fd = open(name, O_RDONLY, 0)) < 0) return(-1);
if((f = fdopen(acl_cache[i].fd, "r")) == NULL) return(-1);
if(acl_cache[i].acl) destroy_hash(acl_cache[i].acl);
acl_cache[i].acl = make_hash(ACL_LEN);
while(fgets(buf, sizeof(buf), f) != NULL) {
nuke_whitespace(buf);
acl_canonicalize_principal(buf, canon);
add_hash(acl_cache[i].acl, canon);
}
fclose(f);
acl_cache[i].status = s;
}
return(i);
}
/* Returns nonzero if it can be determined that acl contains principal */
/* Principal is not canonicalized, and no wildcarding is done */
int
acl_exact_match(acl, principal)
char *acl;
char *principal;
{
int idx;
return((idx = acl_load(acl)) >= 0
&& check_hash(acl_cache[idx].acl, principal));
}
/* Returns nonzero if it can be determined that acl contains principal */
/* Recognizes wildcards in acl of the form
name.*@realm, *.*@realm, and *.*@* */
int
acl_check(acl, principal)
char *acl;
char *principal;
{
char buf[MAX_PRINCIPAL_SIZE];
char canon[MAX_PRINCIPAL_SIZE];
char *realm;
acl_canonicalize_principal(principal, canon);
/* Is it there? */
if(acl_exact_match(acl, canon)) return(1);
/* Try the wildcards */
realm = index(canon, REALM_SEP);
*index(canon, INST_SEP) = '\0'; /* Chuck the instance */
sprintf(buf, "%s.*%s", canon, realm);
if(acl_exact_match(acl, buf)) return(1);
sprintf(buf, "*.*%s", realm);
if(acl_exact_match(acl, buf) || acl_exact_match(acl, "*.*@*")) return(1);
return(0);
}
/* Adds principal to acl */
/* Wildcards are interpreted literally */
int
acl_add(acl, principal)
char *acl;
char *principal;
{
int idx;
int i;
FILE *new;
char canon[MAX_PRINCIPAL_SIZE];
acl_canonicalize_principal(principal, canon);
if((new = acl_lock_file(acl)) == NULL) return(-1);
if((acl_exact_match(acl, canon))
|| (idx = acl_load(acl)) < 0) {
acl_abort(acl, new);
return(-1);
}
/* It isn't there yet, copy the file and put it in */
for(i = 0; i < acl_cache[idx].acl->size; i++) {
if(acl_cache[idx].acl->tbl[i] != NULL) {
if(fputs(acl_cache[idx].acl->tbl[i], new) == NULL
|| putc('\n', new) != '\n') {
acl_abort(acl, new);
return(-1);
}
}
}
fputs(canon, new);
putc('\n', new);
return(acl_commit(acl, new));
}
/* Removes principal from acl */
/* Wildcards are interpreted literally */
int
acl_delete(acl, principal)
char *acl;
char *principal;
{
int idx;
int i;
FILE *new;
char canon[MAX_PRINCIPAL_SIZE];
acl_canonicalize_principal(principal, canon);
if((new = acl_lock_file(acl)) == NULL) return(-1);
if((!acl_exact_match(acl, canon))
|| (idx = acl_load(acl)) < 0) {
acl_abort(acl, new);
return(-1);
}
/* It isn't there yet, copy the file and put it in */
for(i = 0; i < acl_cache[idx].acl->size; i++) {
if(acl_cache[idx].acl->tbl[i] != NULL
&& strcmp(acl_cache[idx].acl->tbl[i], canon)) {
fputs(acl_cache[idx].acl->tbl[i], new);
putc('\n', new);
}
}
return(acl_commit(acl, new));
}
-107
View File
@@ -1,107 +0,0 @@
PROTOTYPE ACL LIBRARY
Introduction
An access control list (ACL) is a list of principals, where each
principal is is represented by a text string which cannot contain
whitespace. The library allows application programs to refer to named
access control lists to test membership and to atomically add and
delete principals using a natural and intuitive interface. At
present, the names of access control lists are required to be Unix
filenames, and refer to human-readable Unix files; in the future, when
a networked ACL server is implemented, the names may refer to a
different namespace specific to the ACL service.
Usage
cc <files> -lacl -lkrb.
Principal Names
Principal names have the form
<name>[.<instance>][@<realm>]
e.g.
asp
asp.root
asp@ATHENA.MIT.EDU
asp.@ATHENA.MIT.EDU
asp.root@ATHENA.MIT.EDU
It is possible for principals to be underspecified. If instance is
missing, it is assumed to be "". If realm is missing, it is assumed
to be local_realm. The canonical form contains all of name, instance,
and realm; the acl_add and acl_delete routines will always
leave the file in that form. Note that the canonical form of
asp@ATHENA.MIT.EDU is actually asp.@ATHENA.MIT.EDU.
Routines
acl_canonicalize_principal(principal, buf)
char *principal;
char *buf; /*RETVAL*/
Store the canonical form of principal in buf. Buf must contain enough
space to store a principal, given the limits on the sizes of name,
instance, and realm specified in /usr/include/krb.h.
acl_check(acl, principal)
char *acl;
char *principal;
Returns nonzero if principal appears in acl. Returns 0 if principal
does not appear in acl, or if an error occurs. Canonicalizes
principal before checking, and allows the ACL to contain wildcards.
acl_exact_match(acl, principal)
char *acl;
char *principal;
Like acl_check, but does no canonicalization or wildcarding.
acl_add(acl, principal)
char *acl;
char *principal;
Atomically adds principal to acl. Returns 0 if successful, nonzero
otherwise. It is considered a failure if principal is already in acl.
This routine will canonicalize principal, but will treat wildcards
literally.
acl_delete(acl, principal)
char *acl;
char *principal;
Atomically deletes principal from acl. Returns 0 if successful,
nonzero otherwise. It is consider a failure if principal is not
already in acl. This routine will canonicalize principal, but will
treat wildcards literally.
acl_initialize(acl, mode)
char *acl;
int mode;
Initialize acl. If acl file does not exist, creates it with mode
mode. If acl exists, removes all members. Returns 0 if successful,
nonzero otherwise. WARNING: Mode argument is likely to change with
the eventual introduction of an ACL service.
Known problems
In the presence of concurrency, there is a very small chance that
acl_add or acl_delete could report success even though it would have
had no effect. This is a necessary side effect of using lock files
for concurrency control rather than flock(2), which is not supported
by NFS.
The current implementation caches ACLs in memory in a hash-table
format for increased efficiency in checking membership; one effect of
the caching scheme is that one file descriptor will be kept open for
each ACL cached, up to a maximum of 8.
-15
View File
@@ -1,15 +0,0 @@
# From: @(#)Makefile 5.1 (Berkeley) 6/25/90
# $Id: Makefile,v 1.2 1994/07/19 19:21:23 g89r4222 Exp $
PROG= compile_et
CFLAGS+=-I. -I${.CURDIR}
SRCS= compile_et.c error_message.c et_name.c init_et.c perror.c
OBJS+= error_table.o
DPADD= ${LIBL}
LDADD= -ll
CLEANFILES=et_lex.lex.c y.tab.c y.tab.h error_table.c
NOMAN= noman
error_table.c: et_lex.lex.c
.include <bsd.prog.mk>
-172
View File
@@ -1,172 +0,0 @@
/*
*
* Copyright 1986, 1987 by MIT Student Information Processing Board
* For copyright info, see "Copyright.SIPB".
*
* $Id: compile_et.c,v 1.2 1994/07/19 19:21:24 g89r4222 Exp $
*/
#include <stdio.h>
#include <sys/file.h>
#include <strings.h>
#include <sys/param.h>
static char copyright[] = "Copyright 1987 by MIT Student Information Processing Board";
extern char *gensym();
extern char *current_token;
extern int table_number, current;
char buffer[BUFSIZ];
char *table_name = (char *)NULL;
FILE *hfile, *cfile;
/* C library */
extern char *malloc();
extern int errno;
/* lex stuff */
extern FILE *yyin;
extern int yylineno;
/* pathnames */
char c_file[MAXPATHLEN]; /* temporary file */
char h_file[MAXPATHLEN]; /* output */
char o_file[MAXPATHLEN]; /* output */
char et_file[MAXPATHLEN]; /* input */
main(argc, argv)
int argc;
char **argv;
{
register char *p;
int n_flag = 0, debug = 0;
while (argc > 2) {
register char *arg, ch;
arg = argv[--argc];
if (strlen(arg) != 2 || arg[0] != '-')
goto usage;
ch = arg[1];
if (ch == 'n')
n_flag++;
else if (ch == 'd')
debug++;
else
goto usage;
}
if (argc != 2) {
usage:
fprintf(stderr, "Usage: %s et_file [-n]\n", argv[0]);
exit(1);
}
strcpy(et_file, argv[1]);
p = rindex(et_file, '/');
if (p == (char *)NULL)
p = et_file;
else
p++;
p = rindex(p, '.');
if (!strcmp(p, ".et"))
*++p = '\0';
else {
if (!p)
p = et_file;
while (*p)
p++;
*p++ = '.';
*p = '\0';
}
/* p points at null where suffix should be */
strcpy(p, "et.c");
strcpy(c_file, et_file);
p[0] = 'h';
p[1] = '\0';
strcpy(h_file, et_file);
p[0] = 'o';
strcpy(o_file, et_file);
p[0] = 'e';
p[1] = 't';
p[2] = '\0';
yyin = fopen(et_file, "r");
if (!yyin) {
perror(et_file);
exit(1);
}
hfile = fopen(h_file, "w");
if (hfile == (FILE *)NULL) {
perror(h_file);
exit(1);
}
cfile = fopen(c_file, "w");
if (cfile == (FILE *)NULL) {
perror("Can't open temp file");
exit(1);
}
/* parse it */
fputs("#define NULL 0\n", cfile);
fputs("static char *_et[] = {\n", cfile);
yyparse();
fclose(yyin); /* bye bye input file */
fputs("\t(char *)0\n};\n", cfile);
fputs("extern int init_error_table();\n\n", cfile);
fprintf(cfile, "int %s_err_base = %d;\n\n", table_name, table_number);
fprintf(cfile, "int\ninit_%s_err_tbl()\n", table_name);
fprintf(cfile, "{\n\treturn(init_error_table(_et, %d, %d));\n}\n",
table_number, current);
fclose(cfile);
fputs("extern int init_", hfile);
fputs(table_name, hfile);
fputs("_err_tbl();\nextern int ", hfile);
fputs(table_name, hfile);
fputs("_err_base;\n", hfile);
fclose(hfile); /* bye bye hfile */
if (n_flag)
exit(0);
if (!fork()) {
p = rindex(c_file, '/');
if (p) {
*p++ = '\0';
chdir(c_file);
}
else
p = c_file;
execlp("cc", "cc", "-c", "-R", "-O", p, 0);
perror("cc");
exit(1);
}
else wait(0);
if (!debug)
(void) unlink(c_file);
/* make it .o file name */
c_file[strlen(c_file)-1] = 'o';
if (!fork()) {
execlp("cp", "cp", c_file, o_file, 0);
perror("cp");
exit(1);
}
else wait(0);
if (!debug)
(void) unlink(c_file);
exit(0);
}
yyerror(s)
char *s;
{
fputs(s, stderr);
fprintf(stderr, "\nLine number %d; last token was '%s'\n",
yylineno, current_token);
}
-77
View File
@@ -1,77 +0,0 @@
/*
* Copyright 1987 by the Student Information Processing Board
* of the Massachusetts Institute of Technology
* For copyright info, see "Copyright.SIPB".
*
* from: error_message.c,v 1.1 86/11/10 21:34:34 spook Exp $
* $Id: error_message.c,v 1.3 1994/09/09 21:43:22 g89r4222 Exp $
*/
#include <stdio.h>
#include "error_table.h"
extern int sys_nerr;
static char buffer[25];
char *
error_message(code)
int code;
{
register int offset;
register error_table **et;
register int table_num;
register int div;
register char *cp;
offset = code & ((1<<ERRCODE_RANGE)-1);
table_num = code - offset;
if ((_et_list == (error_table **)NULL) && table_num)
goto oops;
if (!table_num) {
if (offset < sys_nerr)
return(sys_errlist[offset]);
else
goto oops;
}
for (et = _et_list; *et != (error_table *)NULL; et++) {
if ((*et)->base == table_num) {
/* This is the right table */
if ((*et)->n_msgs <= offset)
goto oops;
return((*et)->msgs[offset]);
}
}
oops:
cp = buffer;
{
register char *cp1;
for (cp1 = "Unknown code "; *cp1; cp1++, cp++)
*cp = *cp1;
if (table_num) {
for (cp1 = error_table_name(table_num); *cp1; cp1++, cp++)
*cp = *cp1;
*cp++ = ' ';
*cp = '\0';
}
}
div = 1000000000;
if (offset == 0) {
*cp++ = '0';
*cp = '\0';
return(buffer);
}
while (div > offset)
div /= 10;
do {
register int n = offset / div;
*cp++ = '0' + n;
offset -= n * div;
div /= 10;
} while (offset && div);
while (div) {
*cp++ = '0';
div /= 10;
}
*cp = '\0';
return(buffer);
}
-17
View File
@@ -1,17 +0,0 @@
#ifndef _ET
extern int errno;
typedef struct {
char **msgs;
int base;
int n_msgs;
} error_table;
extern error_table **_et_list;
#define ERROR_CODE "int" /* type used for error codes */
#define ERRCODE_RANGE 8 /* # of bits to shift table number */
#define BITS_PER_CHAR 6 /* # bits to shift per character in name */
extern char *error_table_name();
#define _ET
#endif
-205
View File
@@ -1,205 +0,0 @@
%{
#include <stdio.h>
char *str_concat(), *ds(), *quote(), *malloc(), *realloc();
char *current_token = (char *)NULL;
extern char *table_name;
%}
%union {
char *dynstr;
}
%token ERROR_TABLE ERROR_CODE_ENTRY END
%token <dynstr> STRING QUOTED_STRING
%type <dynstr> ec_name description table_id
%{
%}
%start error_table
%%
error_table : ERROR_TABLE table_id error_codes END
{ table_name = ds($2);
current_token = table_name;
put_ecs(); }
;
table_id : STRING
{ current_token = $1;
set_table_num($1);
$$ = $1; }
;
error_codes : error_codes ec_entry
| ec_entry
;
ec_entry : ERROR_CODE_ENTRY ec_name ',' description
{ add_ec($2, $4);
free($2);
free($4); }
| ERROR_CODE_ENTRY ec_name '=' STRING ',' description
{ add_ec_val($2, $4, $6);
free($2);
free($4);
free($6);
}
;
ec_name : STRING
{ $$ = ds($1);
current_token = $$; }
;
description : QUOTED_STRING
{ $$ = ds($1);
current_token = $$; }
;
%%
/*
* Copyright 1986, 1987 by the MIT Student Information Processing Board
* For copyright info, see Copyright.SIPB.
*/
#include <stdlib.h>
#include <strings.h>
#include <ctype.h>
#include <sys/types.h>
#include <sys/time.h>
#include "error_table.h"
extern FILE *hfile, *cfile;
static long gensym_n = 0;
char *
gensym(x)
char *x;
{
char *symbol;
if (!gensym_n) {
struct timeval tv;
struct timezone tzp;
gettimeofday(&tv, &tzp);
gensym_n = (tv.tv_sec%10000)*100 + tv.tv_usec/10000;
}
symbol = malloc(32 * sizeof(char));
gensym_n++;
sprintf(symbol, "et%ld", gensym_n);
return(symbol);
}
char *
ds(string)
char *string;
{
char *rv;
rv = malloc(strlen(string)+1);
strcpy(rv, string);
return(rv);
}
char *
quote(string)
char *string;
{
char *rv;
rv = malloc(strlen(string)+3);
strcpy(rv, "\"");
strcat(rv, string);
strcat(rv, "\"");
return(rv);
}
int table_number;
int current = 0;
char **error_codes = (char **)NULL;
add_ec(name, description)
char *name, *description;
{
fprintf(cfile, "\t\"%s\",\n", description);
if (error_codes == (char **)NULL) {
error_codes = (char **)malloc(sizeof(char *));
*error_codes = (char *)NULL;
}
error_codes = (char **)realloc((char *)error_codes,
(current + 2)*sizeof(char *));
error_codes[current++] = ds(name);
error_codes[current] = (char *)NULL;
}
add_ec_val(name, val, description)
char *name, *val, *description;
{
int ncurrent = atoi(val);
if (ncurrent < current) {
printf("Error code %s (%d) out of order", name,
current);
return;
}
while (ncurrent > current)
fputs("\t(char *)NULL,\n", cfile), current++;
fprintf(cfile, "\t\"%s\",\n", description);
if (error_codes == (char **)NULL) {
error_codes = (char **)malloc(sizeof(char *));
*error_codes = (char *)NULL;
}
error_codes = (char **)realloc((char *)error_codes,
(current + 2)*sizeof(char *));
error_codes[current++] = ds(name);
error_codes[current] = (char *)NULL;
}
put_ecs()
{
int i;
for (i = 0; i < current; i++) {
if (error_codes[i] != (char *)NULL)
fprintf(hfile, "#define %-40s ((%s)%d)\n",
error_codes[i], ERROR_CODE, table_number + i);
}
}
/*
* char_to_num -- maps letters and numbers into a small numbering space
* uppercase -> 1-26
* lowercase -> 27-52
* digits -> 53-62
* underscore-> 63
*/
int
char_to_num(c)
char c;
{
if (isupper(c))
return(c-'A'+1);
else if (islower(c))
return(c-'a'+27);
else if (isdigit(c))
return(c-'0'+53);
else {
fprintf(stderr, "Illegal character in name: %c\n", c);
exit(1);
/*NOTREACHED*/
}
}
set_table_num(string)
char *string;
{
if (strlen(string) > 4) {
fprintf(stderr, "Table name %s too long, truncated ",
string);
string[4] = '\0';
fprintf(stderr, "to %s\n", string);
}
while (*string != '\0') {
table_number = (table_number << BITS_PER_CHAR)
+ char_to_num(*string);
string++;
}
table_number = table_number << ERRCODE_RANGE;
}
#include "et_lex.lex.c"
-29
View File
@@ -1,29 +0,0 @@
%{
extern int yylineno;
int yylineno = 1;
%}
PC [^\"\n]
AN [A-Z_a-z0-9]
%%
error_table return ERROR_TABLE;
et return ERROR_TABLE;
error_code return ERROR_CODE_ENTRY;
ec return ERROR_CODE_ENTRY;
end return END;
[\t ]+ ;
\n ++yylineno;
\"{PC}*\" { register char *p; yylval.dynstr = ds(yytext+1);
if (p=rindex(yylval.dynstr, '"')) *p='\0';
return QUOTED_STRING;
}
{AN}* { yylval.dynstr = ds(yytext); return STRING; }
#.*\n ++yylineno;
. { return (*yytext); }
%%
-44
View File
@@ -1,44 +0,0 @@
/*
* Copyright 1987 by MIT Student Information Processing Board
* For copyright info, see Copyright.SIPB.
*
* $Id: et_name.c,v 1.2 1994/07/19 19:21:27 g89r4222 Exp $
*/
#include "error_table.h"
static char copyright[] = "Copyright 1987 by MIT Student Information Processing Board";
char *malloc();
char *
error_table_name(num)
int num;
{
register int ch;
register int i;
register char *buf, *p;
/* num = aa aaa abb bbb bcc ccc cdd ddd d?? ??? ??? */
buf = malloc(5);
p = buf;
num >>= ERRCODE_RANGE;
/* num = ?? ??? ??? aaa aaa bbb bbb ccc ccc ddd ddd */
num &= 077777777;
/* num = 00 000 000 aaa aaa bbb bbb ccc ccc ddd ddd */
for (i = 0; i < 5; i++) {
ch = (num >> 24-6*i) & 077;
if (ch == 0)
continue;
else if (ch < 27)
*p++ = ch - 1 + 'A';
else if (ch < 53)
*p++ = ch - 27 + 'a';
else if (ch < 63)
*p++ = ch - 53 + '0';
else /* ch == 63 */
*p++ = '_';
}
return(buf);
}
-67
View File
@@ -1,67 +0,0 @@
/*
* Copyright 1986 by MIT Information Systems and
* MIT Student Information Processing Board
* For copyright info, see Copyright.SIPB.
*
* form: init_et.c,v 1.1 86/11/10 21:42:26 spook Exp $
* $Id: init_et.c,v 1.2 1994/07/19 19:21:28 g89r4222 Exp $
*/
#include <stdio.h>
#include "error_table.h"
static char copyright[] = "Copyright 1987 by MIT Student Information Processing Board";
extern char *malloc(), *realloc();
/* useful */
typedef error_table *etp;
typedef etp *etpp;
etpp _et_list = (etpp)NULL;
static int n_allocated = 0, n_used = 0;
int
init_error_table(msgs, base, count)
char **msgs;
register int base;
int count;
{
register int i;
register etp new_et;
register etpp list;
if (!base || !count || !msgs)
return;
new_et = (etp)malloc(sizeof(error_table));
new_et->msgs = msgs;
new_et->base = base;
new_et->n_msgs= count;
list = _et_list;
if (list == (etpp)NULL) {
_et_list = (etpp) malloc(10*sizeof(etp));
list = _et_list;
if (list == (etpp)NULL)
return; /* oops */
list[0] = new_et;
list[1] = (etp)NULL;
n_allocated = 10;
n_used = 1;
return;
}
for (i = 0; i < n_used; i++)
if (list[i]->base == base)
return; /* avoid duplicates */
if (n_used+2 > n_allocated) {
n_allocated += 10; /* don't re-allocate too often */
list = (etpp) realloc((char *)list,
(unsigned)n_allocated * sizeof(etp));
_et_list = list;
if (list == (etpp)NULL)
return; /* oops */
}
list[n_used++] = new_et;
list[n_used] = (etp)NULL;
}
-76
View File
@@ -1,76 +0,0 @@
/*
* Copyright 1987 by MIT Student Information Processing Board
* For copyright info, see Copyright.SIPB
*
* $Id: perror.c,v 1.2 1994/07/19 19:21:30 g89r4222 Exp $
*/
#include <stdio.h>
#include <sys/types.h>
#include <sys/uio.h>
#include "error_table.h"
typedef int (*int_func)();
#if defined(mips) && defined(ultrix)
int errno; /* this is needed to keep the loader from complaining */
#endif
int_func com_err_hook = (int_func) NULL;
char *error_message();
void
com_err(whoami, code, message)
char *whoami;
int code;
char *message;
{
struct iovec strings[6];
if (com_err_hook) {
(*com_err_hook)(whoami, code, message);
return;
}
strings[0].iov_base = whoami;
strings[0].iov_len = strlen(whoami);
if (whoami) {
strings[1].iov_base = ": ";
strings[1].iov_len = 2;
} else
strings[1].iov_len = 0;
if (code) {
register char *errmsg = error_message(code);
strings[2].iov_base = errmsg;
strings[2].iov_len = strlen(errmsg);
} else
strings[2].iov_len = 0;
strings[3].iov_base = " ";
strings[3].iov_len = 1;
strings[4].iov_base = message;
strings[4].iov_len = strlen(message);
strings[5].iov_base = "\n";
strings[5].iov_len = 1;
(void) writev(2, strings, 6);
}
int_func
set_com_err_hook(new_proc)
int_func new_proc;
{
register int_func x = com_err_hook;
com_err_hook = new_proc;
return (x);
}
reset_com_err_hook()
{
com_err_hook = (int_func) NULL;
}
void
perror(msg)
register const char *msg;
{
com_err(msg, errno, (char *)NULL);
}
-43
View File
@@ -1,43 +0,0 @@
#include <stdio.h>
#include <errno.h>
#include "test1.h"
#include "test2.h"
char *error_message();
extern int sys_nerr, errno;
main()
{
printf("\nBefore initiating error table:\n\n");
printf("Table name '%s'\n", error_table_name(KRB_MK_AP_TGTEXP));
printf("UNIX name '%s'\n", error_table_name(EPERM));
printf("Msg TGT-expired is '%s'\n", error_message(KRB_MK_AP_TGTEXP));
printf("Msg EPERM is '%s'\n", error_message(EPERM));
printf("Msg FOO_ERR is '%s'\n", error_message(FOO_ERR));
printf("Msg {sys_nerr-1} is '%s'\n", error_message(sys_nerr-1));
printf("Msg {sys_nerr} is '%s'\n", error_message(sys_nerr));
init_error_table(0, 0, 0);
printf("With 0: tgt-expired -> %s\n", error_message(KRB_MK_AP_TGTEXP));
init_krb_err_tbl();
printf("KRB error table initialized: base %d (%s), name %s\n",
krb_err_base, error_message(krb_err_base),
error_table_name(krb_err_base));
printf("With krb: tgt-expired -> %s\n",
error_message(KRB_MK_AP_TGTEXP));
init_quux_err_tbl();
printf("QUUX error table initialized: base %d (%s), name %s\n",
quux_err_base, error_message(quux_err_base),
error_table_name(quux_err_base));
printf("Msg for TGT-expired is '%s'\n",
error_message(KRB_MK_AP_TGTEXP));
printf("Msg {sys_nerr-1} is '%s'\n", error_message(sys_nerr-1));
printf("Msg FOO_ERR is '%s'\n", error_message(FOO_ERR));
printf("Msg KRB_SKDC_CANT is '%s'\n",
error_message(KRB_SKDC_CANT));
printf("Msg 1e6 is '%s'\n", error_message(1000000));
errno = FOO_ERR;
perror("FOO_ERR");
}
-69
View File
@@ -1,69 +0,0 @@
error_table krb
error_code KRB_MK_AP_TKFIL,
"Can't read ticket file"
ec KRB_MK_AP_NOTKT,
"Can't find ticket or TGT"
ec KRB_MK_AP_TGTEXP,
"TGT expired"
ec KRB_RD_AP_UNDEC,
"Can't decode authenticator"
ec KRB_RD_AP_EXP,
"Ticket expired"
ec KRB_RD_AP_REPEAT,
"Repeated request"
ec KRB_RD_AP_NOT_US,
"The ticket isn't for us"
ec KRB_RD_AP_INCON,
"Request is inconsistent"
ec KRB_RD_AP_TIME,
"Delta-T too big"
ec KRB_RD_AP_BADD,
"Incorrect net address"
ec KRB_RD_AP_VERSION,
"Protocol version mismatch"
ec KRB_RD_AP_MSG_TYPE,
"Invalid message type"
ec KRB_RD_AP_MODIFIED,
"Message stream modified"
ec KRB_RD_AP_ORDER,
"Message out of order"
ec KRB_RD_AP_UNAUTHOR,
"Unauthorized request"
ec KRB_GT_PW_NULL,
"Current password is null"
ec KRB_GT_PW_BADPW,
"Incorrect current password"
ec KRB_GT_PW_PROT,
"Protocol error"
ec KRB_GT_PW_KDCERR,
"Error returned by KDC"
ec KRB_GT_PW_NULLTKT,
"Null ticket returned by KDC"
ec KRB_SKDC_RETRY,
"Retry count exceeded"
ec KRB_SKDC_CANT,
"Can't send request"
end
-9
View File
@@ -1,9 +0,0 @@
error_table quux
ec FOO_ERR, "foo"
ec BAR_ERR, "bar"
ec BAZ_ERR, "meow"
end
-15
View File
@@ -1,15 +0,0 @@
# $Id: MISSING,v 1.1.1.1 1994/09/30 14:49:50 csgr Exp $
The following symbols (you can find in the USA libdes) are still missing
in this source.
_des_cblock_print_file
_des_generate_random_block
_des_init_random_number_generator
_des_new_random_key
_des_set_random_generator_seed
_des_set_sequence_number
_des_debug
# END
-121
View File
@@ -1,121 +0,0 @@
/* des.h */
/* Copyright (C) 1993 Eric Young - see README for more details */
/*-
* $Id: des.h,v 1.2 1994/07/19 19:22:17 g89r4222 Exp $
*/
#ifndef DES_DEFS
#define DES_DEFS
typedef unsigned char des_cblock[8];
typedef struct des_ks_struct
{
union {
des_cblock _;
/* make sure things are correct size on machines with
* 8 byte longs */
unsigned long pad[2];
} ks;
#define _ ks._
} des_key_schedule[16];
#define DES_KEY_SZ (sizeof(des_cblock))
#define DES_ENCRYPT 1
#define DES_DECRYPT 0
#define DES_CBC_MODE 0
#define DES_PCBC_MODE 1
#define C_Block des_cblock
#define Key_schedule des_key_schedule
#define ENCRYPT DES_ENCRYPT
#define DECRYPT DES_DECRYPT
#define KEY_SZ DES_KEY_SZ
#define string_to_key des_string_to_key
#define read_pw_string des_read_pw_string
#define random_key des_random_key
#define pcbc_encrypt des_pcbc_encrypt
#define set_key des_set__key
#define key_sched des_key_sched
#define ecb_encrypt des_ecb_encrypt
#define cbc_encrypt des_cbc_encrypt
#define cbc_cksum des_cbc_cksum
#define quad_cksum des_quad_cksum
/* For compatibility with the MIT lib - eay 20/05/92 */
typedef struct des_ks_struct bit_64;
extern int des_check_key; /* defaults to false */
extern int des_rw_mode; /* defaults to DES_PCBC_MODE */
/* The next line is used to disable full ANSI prototypes, if your
* compiler has problems with the prototypes, make sure this line always
* evaluates to true :-) */
#if !defined(MSDOS) && !defined(__STDC__)
#ifndef KERBEROS
int des_3ecb_encrypt();
int des_cbc_encrypt();
int des_3cbc_encrypt();
int des_cfb_encrypt();
int des_ecb_encrypt();
int des_encrypt();
int des_enc_read();
int des_enc_write();
int des_ofb_encrypt();
int des_pcbc_encrypt();
int des_random_key();
int des_read_password();
int des_read_2passwords();
int des_read_pw_string();
int des_is_weak_key();
int des_set__key();
int des_key_sched();
int des_string_to_key();
int des_string_to_2keys();
#endif
char *crypt();
unsigned long des_cbc_cksum();
unsigned long des_quad_cksum();
unsigned long des_cbc_cksum();
void des_set_odd_parity();
#else /* PROTO */
int des_3ecb_encrypt(des_cblock *input,des_cblock *output,\
des_key_schedule ks1,des_key_schedule ks2,int encrypt);
unsigned long des_cbc_cksum(des_cblock *input,des_cblock *output,\
long length,des_key_schedule schedule,des_cblock *ivec);
int des_cbc_encrypt(des_cblock *input,des_cblock *output,long length,\
des_key_schedule schedule,des_cblock *ivec,int encrypt);
int des_3cbc_encrypt(des_cblock *input,des_cblock *output,long length,\
des_key_schedule sk1,des_key_schedule sk2,\
des_cblock *ivec1,des_cblock *ivec2,int encrypt);
int des_cfb_encrypt(unsigned char *in,unsigned char *out,int numbits,\
long length,des_key_schedule schedule,des_cblock *ivec,int encrypt);
int des_ecb_encrypt(des_cblock *input,des_cblock *output,\
des_key_schedule ks,int encrypt);
int des_encrypt(unsigned long *input,unsigned long *output,
des_key_schedule ks, int encrypt);
int des_enc_read(int fd,char *buf,int len,des_key_schedule sched,\
des_cblock *iv);
int des_enc_write(int fd,char *buf,int len,des_key_schedule sched,\
des_cblock *iv);
char *crypt(char *buf,char *salt);
int des_ofb_encrypt(unsigned char *in,unsigned char *out,\
int numbits,long length,des_key_schedule schedule,des_cblock *ivec);
int des_pcbc_encrypt(des_cblock *input,des_cblock *output,long length,\
des_key_schedule schedule,des_cblock *ivec,int encrypt);
unsigned long des_quad_cksum(des_cblock *input,des_cblock *output,\
long length,int out_count,des_cblock *seed);
int des_random_key(des_cblock ret);
int des_read_password(des_cblock *key,char *prompt,int verify);
int des_read_2passwords(des_cblock *key1,des_cblock *key2, \
char *prompt,int verify);
int des_read_pw_string(char *buf,int length,char *prompt,int verify);
void des_set_odd_parity(des_cblock *key);
int des_is_weak_key(des_cblock *key);
int des_set__key(des_cblock *key,des_key_schedule schedule);
int des_key_sched(des_cblock *key,des_key_schedule schedule);
int des_string_to_key(char *str,des_cblock *key);
int des_string_to_2keys(char *str,des_cblock *key1,des_cblock *key2);
#endif
#endif
-10
View File
@@ -1,10 +0,0 @@
# From: @(#)Makefile 5.1 (Berkeley) 6/25/90
# $Id: Makefile,v 1.3 1995/07/18 16:35:54 mark Exp $
PROG= ext_srvtab
CFLAGS+=-DKERBEROS -I${.CURDIR}/../include -Wall
DPADD= ${LIBKDB} ${LIBKRB}
LDADD+= -L${KDBOBJDIR} -lkdb -L${KRBOBJDIR} -lkrb -ldes
MAN8= ext_srvtab.8
.include <bsd.prog.mk>
-62
View File
@@ -1,62 +0,0 @@
.\" from: ext_srvtab.8,v 4.2 89/07/18 16:53:18 jtkohl Exp $
.\" $Id: ext_srvtab.8,v 1.1.1.1 1994/09/30 14:50:05 csgr Exp $
.\" Copyright 1989 by the Massachusetts Institute of Technology.
.\"
.\" For copying and distribution information,
.\" please see the file <Copyright.MIT>.
.\"
.TH EXT_SRVTAB 8 "Kerberos Version 4.0" "MIT Project Athena"
.SH NAME
ext_srvtab \- extract service key files from Kerberos key distribution center database
.SH SYNOPSIS
ext_srvtab [
.B \-n
] [
.B \-r realm
] [
.B hostname ...
]
.SH DESCRIPTION
.I ext_srvtab
extracts service key files from the Kerberos key distribution center
(KDC) database.
.PP
Upon execution, it prompts the user to enter the master key string for
the database. If the
.B \-n
option is specified, the master key is instead fetched from the master
key cache file.
.PP
For each
.I hostname
specified on the command line,
.I ext_srvtab
creates the service key file
.IR hostname -new-srvtab,
containing all the entries in the database with an instance field of
.I hostname.
This new file contains all the keys registered for Kerberos-mediated
service providing programs which use the
.IR krb_get_phost (3)
principal and instance conventions to run on the host
.IR hostname .
If the
.B \-r
option is specified, the realm fields in the extracted file will
match the given realm rather than the local realm.
.SH DIAGNOSTICS
.TP 20n
"verify_master_key: Invalid master key, does not match database."
The master key string entered was incorrect.
.SH FILES
.TP 20n
/etc/kerberosIV/principal.db
DBM file containing database
.TP
/etc/kerberosIV/principal.ok
Semaphore indicating that the DBM database is not being modified.
.TP
/etc/kerberosIV/master_key
Master key cache file.
.SH SEE ALSO
read_service_key(3), krb_get_phost(3)
-176
View File
@@ -1,176 +0,0 @@
/*
* Copyright 1987, 1988 by the Massachusetts Institute of Technology.
*
* from: ext_srvtab.c,v 4.1 89/07/18 16:49:30 jtkohl Exp $
* $Id: ext_srvtab.c,v 1.3 1995/07/18 16:35:55 mark Exp $
*/
#if 0
#ifndef lint
static char rcsid[] =
"$Id: ext_srvtab.c,v 1.3 1995/07/18 16:35:55 mark Exp $";
#endif lint
#endif
#include <stdio.h>
#include <string.h>
#include <sys/file.h>
#include <sys/types.h>
#include <sys/time.h>
#include <sys/stat.h>
#include <sys/wait.h>
#include <signal.h>
#include <des.h>
#include <krb.h>
#include <krb_db.h>
#define TRUE 1
#define FALSE 0
static C_Block master_key;
static C_Block session_key;
static Key_schedule master_key_schedule;
char progname[] = "ext_srvtab";
char realm[REALM_SZ];
void FWrite(char *p, int size, int n, FILE *f);
void StampOutSecrets(void);
void usage(void);
int
main(argc, argv)
int argc;
char *argv[];
{
FILE *fout;
char fname[1024];
int fopen_errs = 0;
int arg;
Principal princs[40];
int more;
int prompt = TRUE;
register int n, i;
bzero(realm, sizeof(realm));
/* Parse commandline arguments */
if (argc < 2)
usage();
else {
for (i = 1; i < argc; i++) {
if (strcmp(argv[i], "-n") == 0)
prompt = FALSE;
else if (strcmp(argv[i], "-r") == 0) {
if (++i >= argc)
usage();
else {
strcpy(realm, argv[i]);
/*
* This is to humor the broken way commandline
* argument parsing is done. Later, this
* program ignores everything that starts with -.
*/
argv[i][0] = '-';
}
}
else if (argv[i][0] == '-')
usage();
else
if (!k_isinst(argv[i])) {
fprintf(stderr, "%s: bad instance name: %s\n",
progname, argv[i]);
usage();
}
}
}
if (kdb_get_master_key (prompt, master_key, master_key_schedule) != 0) {
fprintf (stderr, "Couldn't read master key.\n");
fflush (stderr);
exit(1);
}
if (kdb_verify_master_key (master_key, master_key_schedule, stderr) < 0) {
exit(1);
}
/* For each arg, search for instances of arg, and produce */
/* srvtab file */
if (!realm[0])
if (krb_get_lrealm(realm, 1) != KSUCCESS) {
fprintf(stderr, "%s: couldn't get local realm\n", progname);
exit(1);
}
(void) umask(077);
for (arg = 1; arg < argc; arg++) {
if (argv[arg][0] == '-')
continue;
sprintf(fname, "%s-new-srvtab", argv[arg]);
if ((fout = fopen(fname, "w")) == NULL) {
fprintf(stderr, "Couldn't create file '%s'.\n", fname);
fopen_errs++;
continue;
}
printf("Generating '%s'....\n", fname);
n = kerb_get_principal("*", argv[arg], &princs[0], 40, &more);
if (more)
fprintf(stderr, "More than 40 found...\n");
for (i = 0; i < n; i++) {
FWrite(princs[i].name, strlen(princs[i].name) + 1, 1, fout);
FWrite(princs[i].instance, strlen(princs[i].instance) + 1,
1, fout);
FWrite(realm, strlen(realm) + 1, 1, fout);
FWrite(&princs[i].key_version,
sizeof(princs[i].key_version), 1, fout);
bcopy(&princs[i].key_low, session_key, sizeof(long));
bcopy(&princs[i].key_high, session_key + sizeof(long),
sizeof(long));
kdb_encrypt_key (session_key, session_key,
master_key, master_key_schedule, DES_DECRYPT);
FWrite(session_key, sizeof session_key, 1, fout);
}
fclose(fout);
}
StampOutSecrets();
exit(fopen_errs); /* 0 errors if successful */
}
void
Die()
{
StampOutSecrets();
exit(1);
}
void
FWrite(p, size, n, f)
char *p;
int size;
int n;
FILE *f;
{
if (fwrite(p, size, n, f) != n) {
printf("Error writing output file. Terminating.\n");
Die();
}
}
void
StampOutSecrets()
{
bzero(master_key, sizeof master_key);
bzero(session_key, sizeof session_key);
bzero(master_key_schedule, sizeof master_key_schedule);
}
void
usage()
{
fprintf(stderr,
"Usage: %s [-n] [-r realm] instance [instance ...]\n", progname);
exit(1);
}
-138
View File
@@ -1,138 +0,0 @@
/*
* Copyright 1988 by the Massachusetts Institute of Technology.
* For copying and distribution information, please see the file
* <Copyright.MIT>.
*
* Definitions for Kerberos administration server & client
*
* from: kadm.h,v 4.2 89/09/26 09:15:20 jtkohl Exp $
* $Id: kadm.h,v 1.2 1994/07/19 19:23:09 g89r4222 Exp $
*/
#ifndef KADM_DEFS
#define KADM_DEFS
/*
* kadm.h
* Header file for the fourth attempt at an admin server
* Doug Church, December 28, 1989, MIT Project Athena
*/
/* for those broken Unixes without this defined... should be in sys/param.h */
#ifndef MAXHOSTNAMELEN
#define MAXHOSTNAMELEN 64
#endif
#include <sys/types.h>
#include <netinet/in.h>
#include <krb.h>
#include <des.h>
/* The global structures for the client and server */
typedef struct {
struct sockaddr_in admin_addr;
struct sockaddr_in my_addr;
int my_addr_len;
int admin_fd; /* file descriptor for link to admin server */
char sname[ANAME_SZ]; /* the service name */
char sinst[INST_SZ]; /* the services instance */
char krbrlm[REALM_SZ];
} Kadm_Client;
typedef struct { /* status of the server, i.e the parameters */
int inter; /* Space for command line flags */
char *sysfile; /* filename of server */
} admin_params; /* Well... it's the admin's parameters */
/* Largest password length to be supported */
#define MAX_KPW_LEN 128
/* Largest packet the admin server will ever allow itself to return */
#define KADM_RET_MAX 2048
/* That's right, versions are 8 byte strings */
#define KADM_VERSTR "KADM0.0A"
#define KADM_ULOSE "KYOULOSE" /* sent back when server can't
decrypt client's msg */
#define KADM_VERSIZE strlen(KADM_VERSTR)
/* the lookups for the server instances */
#define PWSERV_NAME "changepw"
#define KADM_SNAME "kerberos_master"
#define KADM_SINST "kerberos"
/* Attributes fields constants and macros */
#define ALLOC 2
#define RESERVED 3
#define DEALLOC 4
#define DEACTIVATED 5
#define ACTIVE 6
/* Kadm_vals structure for passing db fields into the server routines */
#define FLDSZ 4
typedef struct {
u_char fields[FLDSZ]; /* The active fields in this struct */
char name[ANAME_SZ];
char instance[INST_SZ];
unsigned long key_low;
unsigned long key_high;
unsigned long exp_date;
unsigned short attributes;
unsigned char max_life;
} Kadm_vals; /* The basic values structure in Kadm */
/* Kadm_vals structure for passing db fields into the server routines */
#define FLDSZ 4
/* Need to define fields types here */
#define KADM_NAME 31
#define KADM_INST 30
#define KADM_EXPDATE 29
#define KADM_ATTR 28
#define KADM_MAXLIFE 27
#define KADM_DESKEY 26
/* To set a field entry f in a fields structure d */
#define SET_FIELD(f,d) (d[3-(f/8)]|=(1<<(f%8)))
/* To set a field entry f in a fields structure d */
#define CLEAR_FIELD(f,d) (d[3-(f/8)]&=(~(1<<(f%8))))
/* Is field f in fields structure d */
#define IS_FIELD(f,d) (d[3-(f/8)]&(1<<(f%8)))
/* Various return codes */
#define KADM_SUCCESS 0
#define WILDCARD_STR "*"
enum acl_types {
ADDACL,
GETACL,
MODACL
};
/* Various opcodes for the admin server's functions */
#define CHANGE_PW 2
#define ADD_ENT 3
#define MOD_ENT 4
#define GET_ENT 5
extern long kdb_get_master_key(); /* XXX should be in krb_db.h */
extern long kdb_verify_master_key(); /* XXX ditto */
extern long krb_mk_priv(), krb_rd_priv(); /* XXX should be in krb.h */
extern void krb_set_tkt_string(); /* XXX ditto */
extern unsigned long quad_cksum(); /* XXX should be in des.h */
/* XXX This doesn't belong here!!! */
char *malloc(), *realloc();
#ifdef POSIX
typedef void sigtype;
#else
typedef int sigtype;
#endif
#endif KADM_DEFS
-20
View File
@@ -1,20 +0,0 @@
/*
Copyright (C) 1989 by the Massachusetts Institute of Technology
Export of this software from the United States of America is assumed
to require a specific license from the United States Government.
It is the responsibility of any person or organization contemplating
export to obtain such a license before exporting.
WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
distribute this software and its documentation for any purpose and
without fee is hereby granted, provided that the above copyright
notice appear in all copies and that both that copyright notice and
this permission notice appear in supporting documentation, and that
the name of M.I.T. not be used in advertising or publicity pertaining
to distribution of the software without specific, written prior
permission. M.I.T. makes no representations about the suitability of
this software for any purpose. It is provided "as is" without express
or implied warranty.
*/
-8
View File
@@ -1,8 +0,0 @@
# $Id$
To re-create this directory from outside the US, take the Makefile
(provided), get the two source files from the original eBones distribution,
do a `perl -spi.bak -e 's/\$(Header[^\$])\$/$1/g' *.{c,ct}', and then
edit the #includes in kadmin.c to make things compile.
Unfortunately, this program is not exportable.
-19
View File
@@ -1,19 +0,0 @@
# $Id: Makefile,v 1.1 1995/07/18 16:36:53 mark Exp $
BINDIR= /usr/bin
PROG= kadmin
SRCS= kadmin.c kadmin_cmds.c
CLEANFILES+= kadmin_cmds.c
CFLAGS+= -DPOSIX -I${.CURDIR}/../include -I${KRBOBJDIR}
CFLAGS+= -I${.CURDIR}/../libkadm -Wall
LDADD+= -L${KADMOBJDIR} -lkadm -L${KRBOBJDIR} -lkrb -ldes
LDADD+= -lss -lcom_err
MAN8= kadmin.8
kadmin_cmds.c: kadmin_cmds.ct
test -e kadmin_cmds.ct || ln -s ${.CURDIR}/kadmin_cmds.ct .
mk_cmds kadmin_cmds.ct
.include <bsd.prog.mk>
-158
View File
@@ -1,158 +0,0 @@
.\" from: kadmin.8,v 4.2 89/07/25 17:20:02 jtkohl Exp $
.\" $Id: kadmin.8,v 1.2 1994/07/19 19:27:22 g89r4222 Exp $
.\" Copyright 1989 by the Massachusetts Institute of Technology.
.\"
.\" For copying and distribution information,
.\" please see the file <Copyright.MIT>.
.\"
.TH KADMIN 8 "Kerberos Version 4.0" "MIT Project Athena"
.SH NAME
kadmin \- network utility for Kerberos database administration
.SH SYNOPSIS
.B kadmin [-u user] [-r default_realm] [-m]
.SH DESCRIPTION
This utility provides a unified administration interface to
the
Kerberos
master database.
Kerberos
administrators
use
.I kadmin
to register new users and services to the master database,
and to change information about existing database entries.
For instance, an administrator can use
.I kadmin
to change a user's
Kerberos
password.
A Kerberos administrator is a user with an ``admin'' instance
whose name appears on one of the Kerberos administration access control
lists. If the \-u option is used,
.I user
will be used as the administrator instead of the local user.
If the \-r option is used,
.I default_realm
will be used as the default realm for transactions. Otherwise,
the local realm will be used by default.
If the \-m option is used, multiple requests will be permitted
on only one entry of the admin password. Some sites won't
support this option.
The
.I kadmin
program communicates over the network with the
.I kadmind
program, which runs on the machine housing the Kerberos master
database.
The
.I kadmind
creates new entries and makes modifications to the database.
When you enter the
.I kadmin
command,
the program displays a message that welcomes you and explains
how to ask for help.
Then
.I kadmin
waits for you to enter commands (which are described below).
It then asks you for your
.I admin
password before accessing the database.
Use the
.I add_new_key
(or
.I ank
for short)
command to register a new principal
with the master database.
The command requires one argument,
the principal's name. The name
given can be fully qualified using
the standard
.I name.instance@realm
convention.
You are asked to enter your
.I admin
password,
then prompted twice to enter the principal's
new password. If no realm is specified,
the local realm is used unless another was
given on the commandline with the \-r flag.
If no instance is
specified, a null instance is used. If
a realm other than the default realm is specified,
you will need to supply your admin password for
the other realm.
Use the
.I change_password (cpw)
to change a principal's
Kerberos
password.
The command requires one argument,
the principal's
name.
You are asked to enter your
.I admin
password,
then prompted twice to enter the principal's new password.
The name
given can be fully qualified using
the standard
.I name.instance@realm
convention.
Use the
.I change_admin_password (cap)
to change your
.I admin
instance password.
This command requires no arguments.
It prompts you for your old
.I admin
password, then prompts you twice to enter the new
.I admin
password. If this is your first command,
the default realm is used. Otherwise, the realm
used in the last command is used.
Use the
.I destroy_tickets (dest)
command to destroy your admin tickets explicitly.
Use the
.I list_requests (lr)
command to get a list of possible commands.
Use the
.I help
command to display
.IR kadmin's
various help messages.
If entered without an argument,
.I help
displays a general help message.
You can get detailed information on specific
.I kadmin
commands
by entering
.I help
.IR command_name .
To quit the program, type
.IR quit .
.SH BUGS
The user interface is primitive, and the command names could be better.
.SH "SEE ALSO"
kerberos(1), kadmind(8), kpasswd(1), ksrvutil(8)
.br
``A Subsystem Utilities Package for UNIX'' by Ken Raeburn
.SH AUTHORS
Jeffrey I. Schiller, MIT Project Athena
.br
Emanuel Jay Berkenbilt, MIT Project Athena
-636
View File
@@ -1,636 +0,0 @@
/*
* $Source: /usr/cvs/src/eBones/kadmin/kadmin.c,v $
* $Author: mark $
*
* Copyright 1988 by the Massachusetts Institute of Technology.
*
* For copying and distribution information, please see the file
* Copyright.MIT.
*
* Kerberos database administrator's tool.
*
* The default behavior of kadmin is if the -m option is given
* on the commandline, multiple requests are allowed to be given
* with one entry of the admin password (until the tickets expire).
* If you do not want this to be an available option, compile with
* NO_MULTIPLE defined.
*/
#if 0
#ifndef lint
static char rcsid_kadmin_c[] =
"BonesHeader: /afs/athena.mit.edu/astaff/project/kerberos/src/kadmin/RCS/kadmin.c,v 4.5 89/09/26 14:17:54 qjb Exp ";
#endif lint
#endif
#include <unistd.h>
#include <string.h>
#include <stdio.h>
#include <stdlib.h>
#include <time.h>
#include <sys/param.h>
#include <pwd.h>
#include <ss/ss.h>
#include <com_err.h>
#include <krb_err.h>
#include <kadm.h>
#define BAD_PW 1
#define GOOD_PW 0
#define FUDGE_VALUE 15 /* for ticket expiration time */
#define PE_NO 0
#define PE_YES 1
#define PE_UNSURE 2
/* for get_password, whether it should do the swapping...necessary for
using vals structure, unnecessary for change_pw requests */
#define DONTSWAP 0
#define SWAP 1
static void do_init(int argc, char *argv[]);
void clean_up(void);
int get_password(unsigned long *low, unsigned long *high, char *prompt,
int byteswap);
int get_admin_password(void);
int princ_exists(char *name, char *instance, char *realm);
extern ss_request_table admin_cmds;
static char myname[ANAME_SZ];
static char default_realm[REALM_SZ]; /* default kerberos realm */
static char krbrlm[REALM_SZ]; /* current realm being administered */
#ifndef NO_MULTIPLE
static int multiple = 0; /* Allow multiple requests per ticket */
#endif
int
main(argc, argv)
int argc;
char *argv[];
{
int sci_idx;
int code;
char tktstring[MAXPATHLEN];
void quit();
sci_idx = ss_create_invocation("admin", "2.0", (char *) NULL,
&admin_cmds, &code);
if (code) {
ss_perror(sci_idx, code, "creating invocation");
exit(1);
}
(void) sprintf(tktstring, "/tmp/tkt_adm_%d",getpid());
krb_set_tkt_string(tktstring);
do_init(argc, argv);
printf("Welcome to the Kerberos Administration Program, version 2\n");
printf("Type \"help\" if you need it.\n");
ss_listen(sci_idx, &code);
printf("\n");
quit();
exit(0);
}
int
setvals(vals, string)
Kadm_vals *vals;
char *string;
{
char realm[REALM_SZ];
int status = KADM_SUCCESS;
bzero(vals, sizeof(*vals));
bzero(realm, sizeof(realm));
SET_FIELD(KADM_NAME,vals->fields);
SET_FIELD(KADM_INST,vals->fields);
if ((status = kname_parse(vals->name, vals->instance, realm, string))) {
printf("kerberos error: %s\n", krb_err_txt[status]);
return status;
}
if (!realm[0])
strcpy(realm, default_realm);
if (strcmp(realm, krbrlm)) {
strcpy(krbrlm, realm);
if ((status = kadm_init_link(PWSERV_NAME, KRB_MASTER, krbrlm))
!= KADM_SUCCESS)
printf("kadm error for realm %s: %s\n",
krbrlm, error_message(status));
}
if (status)
return 1;
else
return KADM_SUCCESS;
}
void
change_password(argc, argv)
int argc;
char *argv[];
{
Kadm_vals old, new;
int status;
char pw_prompt[BUFSIZ];
if (argc != 2) {
printf("Usage: change_password loginname\n");
return;
}
if (setvals(&old, argv[1]) != KADM_SUCCESS)
return;
new = old;
SET_FIELD(KADM_DESKEY,new.fields);
if (princ_exists(old.name, old.instance, krbrlm) != PE_NO) {
/* get the admin's password */
if (get_admin_password() != GOOD_PW)
return;
/* get the new password */
(void) sprintf(pw_prompt, "New password for %s:", argv[1]);
if (get_password(&new.key_low, &new.key_high,
pw_prompt, SWAP) == GOOD_PW) {
status = kadm_mod(&old, &new);
if (status == KADM_SUCCESS) {
printf("Password changed for %s.\n", argv[1]);
} else {
printf("kadmin: %s\nwhile changing password for %s",
error_message(status), argv[1]);
}
} else
printf("Error reading password; password unchanged\n");
bzero((char *)&new, sizeof(new));
#ifndef NO_MULTIPLE
if (!multiple)
clean_up();
#endif
}
else
printf("kadmin: Principal does not exist.\n");
return;
}
/*ARGSUSED*/
void
change_admin_password(argc, argv)
int argc;
char *argv[];
{
des_cblock newkey;
unsigned long low, high;
int status;
char prompt_pw[BUFSIZ];
if (argc != 1) {
printf("Usage: change_admin_password\n");
return;
}
/* get the admin's password */
if (get_admin_password() != GOOD_PW)
return;
(void) sprintf(prompt_pw, "New password for %s.admin:",myname);
if (get_password(&low, &high, prompt_pw, DONTSWAP) == GOOD_PW) {
bcopy((char *)&low,(char *) newkey,4);
bcopy((char *)&high, (char *)(((long *) newkey) + 1),4);
low = high = 0L;
if ((status = kadm_change_pw(newkey)) == KADM_SUCCESS)
printf("Admin password changed\n");
else
printf("kadm error: %s\n",error_message(status));
bzero((char *)newkey, sizeof(newkey));
} else
printf("Error reading password; password unchanged\n");
#ifndef NO_MULTIPLE
if (!multiple)
clean_up();
#endif
return;
}
void
add_new_key(argc, argv)
int argc;
char *argv[];
{
Kadm_vals new;
char pw_prompt[BUFSIZ];
int status;
if (argc != 2) {
printf("Usage: add_new_key user_name.\n");
return;
}
if (setvals(&new, argv[1]) != KADM_SUCCESS)
return;
SET_FIELD(KADM_DESKEY,new.fields);
if (princ_exists(new.name, new.instance, krbrlm) != PE_YES) {
/* get the admin's password */
if (get_admin_password() != GOOD_PW)
return;
/* get the new password */
(void) sprintf(pw_prompt, "Password for %s:", argv[1]);
if (get_password(&new.key_low, &new.key_high,
pw_prompt, SWAP) == GOOD_PW) {
status = kadm_add(&new);
if (status == KADM_SUCCESS) {
printf("%s added to database.\n", argv[1]);
} else {
printf("kadm error: %s\n",error_message(status));
}
} else
printf("Error reading password; %s not added\n",argv[1]);
bzero((char *)&new, sizeof(new));
#ifndef NO_MULTIPLE
if (!multiple)
clean_up();
#endif
}
else
printf("kadmin: Principal already exists.\n");
return;
}
void
get_entry(argc, argv)
int argc;
char *argv[];
{
int status;
u_char fields[4];
Kadm_vals vals;
if (argc != 2) {
printf("Usage: get_entry username\n");
return;
}
bzero(fields, sizeof(fields));
SET_FIELD(KADM_NAME,fields);
SET_FIELD(KADM_INST,fields);
SET_FIELD(KADM_EXPDATE,fields);
SET_FIELD(KADM_ATTR,fields);
SET_FIELD(KADM_MAXLIFE,fields);
if (setvals(&vals, argv[1]) != KADM_SUCCESS)
return;
if (princ_exists(vals.name, vals.instance, krbrlm) != PE_NO) {
/* get the admin's password */
if (get_admin_password() != GOOD_PW)
return;
if ((status = kadm_get(&vals, fields)) == KADM_SUCCESS)
prin_vals(&vals);
else
printf("kadm error: %s\n",error_message(status));
#ifndef NO_MULTIPLE
if (!multiple)
clean_up();
#endif
}
else
printf("kadmin: Principal does not exist.\n");
return;
}
void
help(argc, argv)
int argc;
char *argv[];
{
if (argc == 1) {
printf("Welcome to the Kerberos administration program.");
printf("Type \"?\" to get\n");
printf("a list of requests that are available. You can");
printf(" get help on each of\n");
printf("the commands by typing \"help command_name\".");
printf(" Some functions of this\n");
printf("program will require an \"admin\" password");
printf(" from you. This is a password\n");
printf("private to you, that is used to authenticate");
printf(" requests from this\n");
printf("program. You can change this password with");
printf(" the \"change_admin_password\"\n");
printf("(or short form \"cap\") command. Good Luck! \n");
} else if (!strcmp(argv[1], "change_password") ||
!strcmp(argv[1], "cpw")) {
printf("Usage: change_password user_name.\n");
printf("\n");
printf("user_name is the name of the user whose password");
printf(" you wish to change. \n");
printf("His/her password is changed in the kerberos database\n");
printf("When this command is issued, first the \"Admin\"");
printf(" password will be prompted\n");
printf("for and if correct the user's new password will");
printf(" be prompted for (twice with\n");
printf("appropriate comparison). Note: No minimum password");
printf(" length restrictions apply, but\n");
printf("longer passwords are more secure.\n");
} else if (!strcmp(argv[1], "change_admin_password") ||
!strcmp(argv[1], "cap")) {
printf("Usage: change_admin_password.\n");
printf("\n");
printf("This command takes no arguments and is used");
printf(" to change your private\n");
printf("\"Admin\" password. It will first prompt for");
printf(" the (current) \"Admin\"\n");
printf("password and then ask for the new password");
printf(" by prompting:\n");
printf("\n");
printf("New password for <Your User Name>.admin:\n");
printf("\n");
printf("Enter the new admin password that you desire");
printf(" (it will be asked for\n");
printf("twice to avoid errors).\n");
} else if (!strcmp(argv[1], "add_new_key") ||
!strcmp(argv[1], "ank")) {
printf("Usage: add_new_key user_name.\n");
printf("\n");
printf("user_name is the name of a new user to put");
printf(" in the kerberos database. Your\n");
printf("\"Admin\" password and the user's password");
printf(" are prompted for. The user's\n");
printf("password will be asked for");
printf(" twice to avoid errors.\n");
} else if (!strcmp(argv[1], "get_entry") ||
!strcmp(argv[1], "get")) {
printf("Usage: get_entry user_name.\n");
printf("\n");
printf("user_name is the name of a user whose");
printf(" entry you wish to review. Your\n");
printf("\"Admin\" password is prompted for. ");
printf(" The key field is not filled in, for\n");
printf("security reasons.\n");
} else if (!strcmp(argv[1], "destroy_tickets") ||
!strcmp(argv[1], "dest")) {
printf("Usage: destroy_tickets\n");
printf("\n");
printf("Destroy your admin tickets. This will");
printf(" cause you to be prompted for your\n");
printf("admin password on your next request.\n");
} else if (!strcmp(argv[1], "list_requests") ||
!strcmp(argv[1], "lr") ||
!strcmp(argv[1], "?")) {
printf("Usage: list_requests\n");
printf("\n");
printf("This command lists what other commands are");
printf(" currently available.\n");
} else if (!strcmp(argv[1], "exit") ||
!strcmp(argv[1], "quit") ||
!strcmp(argv[1], "q")) {
printf("Usage: quit\n");
printf("\n");
printf("This command exits this program.\n");
} else {
printf("Sorry there is no such command as %s.", argv[1]);
printf(" Type \"help\" for more information. \n");
}
return;
}
void
go_home(str,x)
char *str;
int x;
{
fprintf(stderr, "%s: %s\n", str, error_message(x));
clean_up();
exit(1);
}
static int inited = 0;
void
usage()
{
fprintf(stderr, "Usage: kadmin [-u admin_name] [-r default_realm]");
#ifndef NO_MULTIPLE
fprintf(stderr, " [-m]");
#endif
fprintf(stderr, "\n");
#ifndef NO_MULTIPLE
fprintf(stderr, " -m allows multiple admin requests to be ");
fprintf(stderr, "serviced with one entry of admin\n");
fprintf(stderr, " password.\n");
#endif
exit(1);
}
static void
do_init(argc, argv)
int argc;
char *argv[];
{
struct passwd *pw;
extern char *optarg;
extern int optind;
int c;
#ifndef NO_MULTIPLE
#define OPTION_STRING "u:r:m"
#else
#define OPTION_STRING "u:r:"
#endif
bzero(myname, sizeof(myname));
if (!inited) {
/*
* This is only as a default/initial realm; we don't care
* about failure.
*/
if (krb_get_lrealm(default_realm, 1) != KSUCCESS)
strcpy(default_realm, KRB_REALM);
/*
* If we can reach the local realm, initialize to it. Otherwise,
* don't initialize.
*/
if (kadm_init_link(PWSERV_NAME, KRB_MASTER, krbrlm) != KADM_SUCCESS)
bzero(krbrlm, sizeof(krbrlm));
else
strcpy(krbrlm, default_realm);
while ((c = getopt(argc, argv, OPTION_STRING)) != EOF)
switch (c) {
case 'u':
strncpy(myname, optarg, sizeof(myname) - 1);
break;
case 'r':
bzero(default_realm, sizeof(default_realm));
strncpy(default_realm, optarg, sizeof(default_realm) - 1);
break;
#ifndef NO_MULTIPLE
case 'm':
multiple++;
break;
#endif
default:
usage();
break;
}
if (optind < argc)
usage();
if (!myname[0]) {
pw = getpwuid((int) getuid());
if (!pw) {
fprintf(stderr,
"You aren't in the password file. Who are you?\n");
exit(1);
}
(void) strcpy(myname, pw->pw_name);
}
inited = 1;
}
}
#ifdef NOENCRYPTION
#define read_long_pw_string placebo_read_pw_string
#else
#define read_long_pw_string des_read_pw_string
#endif
extern int read_long_pw_string();
int
get_admin_password()
{
int status;
char admin_passwd[MAX_KPW_LEN]; /* Admin's password */
int ticket_life = 1; /* minimum ticket lifetime */
#ifndef NO_MULTIPLE
CREDENTIALS c;
if (multiple) {
/* If admin tickets exist and are valid, just exit. */
bzero(&c, sizeof(c));
if (krb_get_cred(PWSERV_NAME, KADM_SINST, krbrlm, &c) == KSUCCESS)
/*
* If time is less than lifetime - FUDGE_VALUE after issue date,
* tickets will probably last long enough for the next
* transaction.
*/
if (time(0) < (c.issue_date + (5 * 60 * c.lifetime) - FUDGE_VALUE))
return(KADM_SUCCESS);
ticket_life = DEFAULT_TKT_LIFE;
}
#endif
if (princ_exists(myname, "admin", krbrlm) != PE_NO) {
if (read_long_pw_string(admin_passwd, sizeof(admin_passwd)-1,
"Admin password:", 0)) {
fprintf(stderr, "Error reading admin password.\n");
goto bad;
}
status = krb_get_pw_in_tkt(myname, "admin", krbrlm, PWSERV_NAME,
KADM_SINST, ticket_life, admin_passwd);
bzero(admin_passwd, sizeof(admin_passwd));
}
else
status = KDC_PR_UNKNOWN;
switch(status) {
case GT_PW_OK:
return(GOOD_PW);
case KDC_PR_UNKNOWN:
printf("Principal %s.admin@%s does not exist.\n", myname, krbrlm);
goto bad;
case GT_PW_BADPW:
printf("Incorrect admin password.\n");
goto bad;
default:
com_err("kadmin", status+krb_err_base,
"while getting password tickets");
goto bad;
}
bad:
bzero(admin_passwd, sizeof(admin_passwd));
(void) dest_tkt();
return(BAD_PW);
}
void
clean_up()
{
(void) dest_tkt();
return;
}
void
quit()
{
printf("Cleaning up and exiting.\n");
clean_up();
exit(0);
}
int
princ_exists(name, instance, realm)
char *name;
char *instance;
char *realm;
{
int status;
status = krb_get_pw_in_tkt(name, instance, realm, "krbtgt", realm, 1, "");
if ((status == KSUCCESS) || (status == INTK_BADPW))
return(PE_YES);
else if (status == KDC_PR_UNKNOWN)
return(PE_NO);
else
return(PE_UNSURE);
}
int
get_password(low, high, prompt, byteswap)
unsigned long *low, *high;
char *prompt;
int byteswap;
{
char new_passwd[MAX_KPW_LEN]; /* new password */
des_cblock newkey;
do {
if (read_long_pw_string(new_passwd, sizeof(new_passwd)-1, prompt, 1))
return(BAD_PW);
if (strlen(new_passwd) == 0)
printf("Null passwords are not allowed; try again.\n");
} while (strlen(new_passwd) == 0);
#ifdef NOENCRYPTION
bzero((char *) newkey, sizeof(newkey));
#else
des_string_to_key(new_passwd, &newkey);
#endif
bzero(new_passwd, sizeof(new_passwd));
bcopy((char *) newkey,(char *)low,4);
bcopy((char *)(((long *) newkey) + 1), (char *)high,4);
bzero((char *) newkey, sizeof(newkey));
#ifdef NOENCRYPTION
*low = 1;
#endif
if (byteswap != DONTSWAP) {
*low = htonl(*low);
*high = htonl(*high);
}
return(GOOD_PW);
}
-41
View File
@@ -1,41 +0,0 @@
# $Source: /usr/cvs/src/eBones/kadmin/kadmin_cmds.ct,v $
# $Author: mark $
# $Header: /usr/cvs/src/eBones/kadmin/kadmin_cmds.ct,v 1.1 1995/07/18 16:36:56 mark Exp $
#
# Copyright 1988 by the Massachusetts Institute of Technology.
#
# For copying and distribution information, please see the file
# <mit-copyright.h>.
#
# Command table for Kerberos administration tool
#
command_table admin_cmds;
request change_password,
"Change a user's password",
change_password, cpw;
request change_admin_password, "Change your admin password",
change_admin_password, cap;
request add_new_key, "Add new user to kerberos database",
add_new_key, ank;
request get_entry, "Get entry from kerberos database",
get_entry, get;
request clean_up, "Destroy admin tickets",
destroy_tickets, dest;
request help,"Request help with this program",
help;
# list_requests is generic -- unrelated to Kerberos
request ss_list_requests, "List available requests.",
list_requests, lr, "?";
request quit, "Exit program.",
quit, exit, q;
end;
-267
View File
@@ -1,267 +0,0 @@
This directory was created from eBones by the following procedure:
1) Get the files listed in the Makefile
2) perl -spi.bak -e 's/\$(Header[^\$]*)\$/$1/g'
3) Apply the patch listed below.
diff -rc2 ../kadmind.orig/admin_server.c ./admin_server.c
*** ../kadmind.orig/admin_server.c Thu Jan 19 18:04:04 1995
--- ./admin_server.c Thu Jan 19 21:58:51 1995
***************
*** 1,10 ****
/*
- * $Source: /afs/athena.mit.edu/astaff/project/kerberos/src/kadmin/RCS/admin_server.c,v $
- * $Author: jtkohl $
- *
* Copyright 1988 by the Massachusetts Institute of Technology.
*
* For copying and distribution information, please see the file
! * <mit-copyright.h>.
*
* Top-level loop of the kerberos Administration server
--- 1,7 ----
/*
* Copyright 1988 by the Massachusetts Institute of Technology.
*
* For copying and distribution information, please see the file
! * Copyright.MIT.
*
* Top-level loop of the kerberos Administration server
***************
*** 12,20 ****
#ifndef lint
static char rcsid_admin_server_c[] =
! "$Id: admin_server.c,v 4.8 90/01/02 13:50:38 jtkohl Exp $";
#endif lint
- #include <mit-copyright.h>
/*
admin_server.c
--- 9,20 ----
#ifndef lint
+ #if 0
static char rcsid_admin_server_c[] =
! "Id: admin_server.c,v 4.8 90/01/02 13:50:38 jtkohl Exp ";
! #endif
! static const char rcsid[] =
! "$Id";
#endif lint
/*
admin_server.c
***************
*** 389,393 ****
--- 389,397 ----
register int i, j;
+ #ifdef POSIX
+ int status;
+ #else
union wait status;
+ #endif
pid = wait(&status);
***************
*** 400,406 ****
pidarray[j] = pidarray[j+1];
pidarraysize--;
! if (status.w_retcode || status.w_coredump || status.w_termsig)
log("child %d: termsig %d, coredump %d, retcode %d", pid,
! status.w_termsig, status.w_coredump, status.w_retcode);
#ifdef POSIX
return;
--- 404,410 ----
pidarray[j] = pidarray[j+1];
pidarraysize--;
! if (WEXITSTATUS(status) || WCOREDUMP(status) || WIFSIGNALED(status))
log("child %d: termsig %d, coredump %d, retcode %d", pid,
! WTERMSIG(status), WCOREDUMP(status), WEXITSTATUS(status));
#ifdef POSIX
return;
***************
*** 410,414 ****
}
log("child %d not in list: termsig %d, coredump %d, retcode %d", pid,
! status.w_termsig, status.w_coredump, status.w_retcode);
#ifdef POSIX
return;
--- 414,418 ----
}
log("child %d not in list: termsig %d, coredump %d, retcode %d", pid,
! WTERMSIG(status), WCOREDUMP(status), WEXITSTATUS(status));
#ifdef POSIX
return;
Only in .: admin_server.c~
diff -rc2 ../kadmind.orig/kadm_funcs.c ./kadm_funcs.c
*** ../kadmind.orig/kadm_funcs.c Thu Jan 19 18:04:04 1995
--- ./kadm_funcs.c Thu Jan 19 21:56:31 1995
***************
*** 1,10 ****
/*
- * $Source: /afs/athena.mit.edu/astaff/project/kerberos/src/kadmin/RCS/kadm_funcs.c,v $
- * $Author: jon $
- *
* Copyright 1988 by the Massachusetts Institute of Technology.
*
* For copying and distribution information, please see the file
! * <mit-copyright.h>.
*
* Kerberos administration server-side database manipulation routines
--- 1,7 ----
/*
* Copyright 1988 by the Massachusetts Institute of Technology.
*
* For copying and distribution information, please see the file
! * Copyright.MIT
*
* Kerberos administration server-side database manipulation routines
***************
*** 12,20 ****
#ifndef lint
static char rcsid_kadm_funcs_c[] =
! "$Id: kadm_funcs.c,v 4.3 90/03/20 01:39:51 jon Exp $";
#endif lint
- #include <mit-copyright.h>
/*
kadm_funcs.c
--- 9,20 ----
#ifndef lint
+ #if 0
static char rcsid_kadm_funcs_c[] =
! "Id: kadm_funcs.c,v 4.3 90/03/20 01:39:51 jon Exp ";
! #endif
! static const char rcsid[] =
! "$Id$";
#endif lint
/*
kadm_funcs.c
Only in .: kadm_funcs.c~
diff -rc2 ../kadmind.orig/kadm_ser_wrap.c ./kadm_ser_wrap.c
*** ../kadmind.orig/kadm_ser_wrap.c Thu Jan 19 18:04:04 1995
--- ./kadm_ser_wrap.c Thu Jan 19 21:59:15 1995
***************
*** 1,10 ****
/*
- * $Source: /afs/athena.mit.edu/astaff/project/kerberos/src/kadmin/RCS/kadm_ser_wrap.c,v $
- * $Author: jtkohl $
- *
* Copyright 1988 by the Massachusetts Institute of Technology.
*
* For copying and distribution information, please see the file
! * <mit-copyright.h>.
*
* Kerberos administration server-side support functions
--- 1,7 ----
/*
* Copyright 1988 by the Massachusetts Institute of Technology.
*
* For copying and distribution information, please see the file
! * Copyright.MIT.
*
* Kerberos administration server-side support functions
***************
*** 16,20 ****
#endif lint
- #include <mit-copyright.h>
/*
kadm_ser_wrap.c
--- 13,16 ----
Only in .: kadm_ser_wrap.c~
diff -rc2 ../kadmind.orig/kadm_server.c ./kadm_server.c
*** ../kadmind.orig/kadm_server.c Thu Jan 19 18:04:04 1995
--- ./kadm_server.c Thu Jan 19 21:59:31 1995
***************
*** 1,10 ****
/*
- * $Source: /afs/athena.mit.edu/astaff/project/kerberos/src/kadmin/RCS/kadm_server.c,v $
- * $Author: jtkohl $
- *
* Copyright 1988 by the Massachusetts Institute of Technology.
*
* For copying and distribution information, please see the file
! * <mit-copyright.h>.
*
* Kerberos administration server-side subroutines
--- 1,7 ----
/*
* Copyright 1988 by the Massachusetts Institute of Technology.
*
* For copying and distribution information, please see the file
! * Copyright.MIT.
*
* Kerberos administration server-side subroutines
***************
*** 15,20 ****
"Header: /afs/athena.mit.edu/astaff/project/kerberos/src/kadmin/RCS/kadm_server.c,v 4.2 89/09/26 09:30:23 jtkohl Exp ";
#endif lint
-
- #include <mit-copyright.h>
#include <kadm.h>
--- 12,15 ----
Only in .: kadm_server.c~
diff -rc2 ../kadmind.orig/kadm_server.h ./kadm_server.h
*** ../kadmind.orig/kadm_server.h Thu Jan 19 18:04:05 1995
--- ./kadm_server.h Thu Jan 19 18:06:36 1995
***************
*** 7,11 ****
*
* For copying and distribution information, please see the file
! * <mit-copyright.h>.
*
* Definitions for Kerberos administration server & client
--- 7,11 ----
*
* For copying and distribution information, please see the file
! * Copyright.MIT.
*
* Definitions for Kerberos administration server & client
***************
*** 15,19 ****
#define KADM_SERVER_DEFS
- #include <mit-copyright.h>
/*
* kadm_server.h
--- 15,18 ----
***************
*** 25,30 ****
#include <sys/types.h>
! #include <krb.h>
! #include <des.h>
typedef struct {
--- 24,29 ----
#include <sys/types.h>
! #include <kerberosIV/krb.h>
! #include <kerberosIV/des.h>
typedef struct {
***************
*** 43,49 ****
/* the default syslog file */
! #define KADM_SYSLOG "/kerberos/admin_server.syslog"
! #define DEFAULT_ACL_DIR "/kerberos"
#define ADD_ACL_FILE "/admin_acl.add"
#define GET_ACL_FILE "/admin_acl.get"
--- 42,48 ----
/* the default syslog file */
! #define KADM_SYSLOG "/var/log/kadmind.syslog"
! #define DEFAULT_ACL_DIR "/etc/kerberosIV"
#define ADD_ACL_FILE "/admin_acl.add"
#define GET_ACL_FILE "/admin_acl.get"
-11
View File
@@ -1,11 +0,0 @@
# $Id: Makefile,v 1.1 1995/07/18 16:36:59 mark Exp $
PROG= kadmind
SRCS= admin_server.c kadm_funcs.c kadm_ser_wrap.c kadm_server.c
CFLAGS+=-DPOSIX -I${.CURDIR}/../include -I${KRBOBJDIR} \
-I${.CURDIR}/../libkadm -I${KADMOBJDIR} -Wall
LDADD+= -L${KADMOBJDIR} -lkadm -L${KDBOBJDIR} -lkdb -L${KRBOBJDIR} -lkrb \
-ldes -L${ACLOBJDIR} -lacl -lcom_err
MAN8= kadmind.8
.include <bsd.prog.mk>
-474
View File
@@ -1,474 +0,0 @@
/*
* Copyright 1988 by the Massachusetts Institute of Technology.
*
* For copying and distribution information, please see the file
* Copyright.MIT.
*
* Top-level loop of the kerberos Administration server
*/
#if 0
#ifndef lint
static char rcsid_admin_server_c[] =
"Id: admin_server.c,v 4.8 90/01/02 13:50:38 jtkohl Exp ";
static const char rcsid[] =
"$Id";
#endif lint
#endif
/*
admin_server.c
this holds the main loop and initialization and cleanup code for the server
*/
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#include <signal.h>
#ifndef sigmask
#define sigmask(m) (1 <<((m)-1))
#endif
#include <sys/wait.h>
#include <errno.h>
#include <sys/socket.h>
#include <syslog.h>
#include <com_err.h>
#include <kadm.h>
#include <kadm_err.h>
#include <krb_db.h>
#include "kadm_server.h"
/* Almost all procs and such need this, so it is global */
admin_params prm; /* The command line parameters struct */
char prog[32]; /* WHY IS THIS NEEDED??????? */
char *progname = prog;
char *acldir = DEFAULT_ACL_DIR;
char krbrlm[REALM_SZ];
extern Kadm_Server server_parm;
void cleanexit(int val);
void process_client(int fd, struct sockaddr_in *who);
void kill_children(void);
static void clear_secrets(void);
void byebye(void);
void close_syslog(void);
int kadm_listen(void);
/*
** Main does the logical thing, it sets up the database and RPC interface,
** as well as handling the creation and maintenance of the syslog file...
*/
void
main(argc, argv) /* admin_server main routine */
int argc;
char *argv[];
{
int errval;
int c;
extern char *optarg;
prog[sizeof(prog)-1]='\0'; /* Terminate... */
(void) strncpy(prog, argv[0], sizeof(prog)-1);
/* initialize the admin_params structure */
prm.sysfile = KADM_SYSLOG; /* default file name */
prm.inter = 1;
bzero(krbrlm, sizeof(krbrlm));
while ((c = getopt(argc, argv, "f:hnd:a:r:")) != EOF)
switch(c) {
case 'f': /* Syslog file name change */
prm.sysfile = optarg;
break;
case 'n':
prm.inter = 0;
break;
case 'a': /* new acl directory */
acldir = optarg;
break;
case 'd':
/* put code to deal with alt database place */
if ((errval = kerb_db_set_name(optarg))) {
fprintf(stderr, "opening database %s: %s",
optarg, error_message(errval));
exit(1);
}
break;
case 'r':
(void) strncpy(krbrlm, optarg, sizeof(krbrlm) - 1);
break;
case 'h': /* get help on using admin_server */
default:
printf("Usage: admin_server [-h] [-n] [-r realm] [-d dbname] [-f filename] [-a acldir]\n");
exit(-1); /* failure */
}
if (krbrlm[0] == 0)
if (krb_get_lrealm(krbrlm, 0) != KSUCCESS) {
fprintf(stderr,
"Unable to get local realm. Fix krb.conf or use -r.\n");
exit(1);
}
printf("KADM Server %s initializing\n",KADM_VERSTR);
printf("Please do not use 'kill -9' to kill this job, use a\n");
printf("regular kill instead\n\n");
set_logfile(prm.sysfile);
log("Admin server starting");
(void) kerb_db_set_lockmode(KERB_DBL_NONBLOCKING);
errval = kerb_init(); /* Open the Kerberos database */
if (errval) {
fprintf(stderr, "error: kerb_init() failed");
close_syslog();
byebye();
}
/* set up the server_parm struct */
if ((errval = kadm_ser_init(prm.inter, krbrlm))==KADM_SUCCESS) {
kerb_fini(); /* Close the Kerberos database--
will re-open later */
errval = kadm_listen(); /* listen for calls to server from
clients */
}
if (errval != KADM_SUCCESS) {
fprintf(stderr,"error: %s\n",error_message(errval));
kerb_fini(); /* Close if error */
}
close_syslog(); /* Close syslog file, print
closing note */
byebye(); /* Say bye bye on the terminal
in use */
} /* procedure main */
/* close the system log file */
void
close_syslog()
{
log("Shutting down admin server");
}
void
byebye() /* say goodnight gracie */
{
printf("Admin Server (kadm server) has completed operation.\n");
}
static void
clear_secrets()
{
bzero((char *)server_parm.master_key, sizeof(server_parm.master_key));
bzero((char *)server_parm.master_key_schedule,
sizeof(server_parm.master_key_schedule));
server_parm.master_key_version = 0L;
}
static exit_now = 0;
sigtype
doexit()
{
exit_now = 1;
#ifdef POSIX
return;
#else /* !POSIX */
return(0);
#endif /* POSIX */
}
unsigned pidarraysize = 0;
int *pidarray = (int *)0;
/*
kadm_listen
listen on the admin servers port for a request
*/
int
kadm_listen()
{
extern int errno;
int found;
int admin_fd;
int peer_fd;
fd_set mask, readfds;
struct sockaddr_in peer;
int addrlen;
int pid;
sigtype do_child();
(void) signal(SIGINT, doexit);
(void) signal(SIGTERM, doexit);
(void) signal(SIGHUP, doexit);
(void) signal(SIGQUIT, doexit);
(void) signal(SIGPIPE, SIG_IGN); /* get errors on write() */
(void) signal(SIGALRM, doexit);
(void) signal(SIGCHLD, do_child);
if ((admin_fd = socket(AF_INET, SOCK_STREAM, 0)) < 0)
return KADM_NO_SOCK;
if (bind(admin_fd, (struct sockaddr *)&server_parm.admin_addr,
sizeof(struct sockaddr_in)) < 0)
return KADM_NO_BIND;
(void) listen(admin_fd, 1);
FD_ZERO(&mask);
FD_SET(admin_fd, &mask);
for (;;) { /* loop nearly forever */
if (exit_now) {
clear_secrets();
kill_children();
return(0);
}
readfds = mask;
if ((found = select(admin_fd+1,&readfds,(fd_set *)0,
(fd_set *)0, (struct timeval *)0)) == 0)
continue; /* no things read */
if (found < 0) {
if (errno != EINTR)
log("select: %s",error_message(errno));
continue;
}
if (FD_ISSET(admin_fd, &readfds)) {
/* accept the conn */
addrlen = sizeof(peer);
if ((peer_fd = accept(admin_fd, (struct sockaddr *)&peer,
&addrlen)) < 0) {
log("accept: %s",error_message(errno));
continue;
}
addrlen = sizeof(server_parm.admin_addr);
if (getsockname(peer_fd, (struct sockaddr *)&server_parm.admin_addr,
&addrlen)) {
log("getsockname: %s",error_message(errno));
continue;
}
#ifdef DEBUG
printf("Connection recieved on %s\n",
inet_ntoa(server_parm.admin_addr.sin_addr));
#endif /* DEBUG */
#ifndef DEBUG
/* if you want a sep daemon for each server */
if ((pid = fork())) {
/* parent */
if (pid < 0) {
log("fork: %s",error_message(errno));
(void) close(peer_fd);
continue;
}
/* fork succeded: keep tabs on child */
(void) close(peer_fd);
if (pidarray) {
pidarray = (int *)realloc((char *)pidarray, ++pidarraysize);
pidarray[pidarraysize-1] = pid;
} else {
pidarray = (int *)malloc(pidarraysize = 1);
pidarray[0] = pid;
}
} else {
/* child */
(void) close(admin_fd);
#endif /* DEBUG */
/* do stuff */
process_client (peer_fd, &peer);
#ifndef DEBUG
}
#endif
} else {
log("something else woke me up!");
return(0);
}
}
/*NOTREACHED*/
return(0); /* Shut -Wall up - markm */
}
#ifdef DEBUG
#define cleanexit(code) {kerb_fini(); return;}
#endif
void
process_client(fd, who)
int fd;
struct sockaddr_in *who;
{
u_char *dat;
int dat_len;
u_short dlen;
int retval;
int on = 1;
Principal service;
des_cblock skey;
int more;
int status;
if (setsockopt(fd, SOL_SOCKET, SO_KEEPALIVE, &on, sizeof(on)) < 0)
log("setsockopt keepalive: %d",errno);
server_parm.recv_addr = *who;
if (kerb_init()) { /* Open as client */
log("can't open krb db");
cleanexit(1);
}
/* need to set service key to changepw.KRB_MASTER */
status = kerb_get_principal(server_parm.sname, server_parm.sinst, &service,
1, &more);
if (status == -1) {
/* db locked */
u_long retcode = KADM_DB_INUSE;
char *pdat;
dat_len = KADM_VERSIZE + sizeof(u_long);
dat = (u_char *) malloc((unsigned)dat_len);
pdat = (char *) dat;
retcode = htonl((u_long) KADM_DB_INUSE);
(void) strncpy(pdat, KADM_ULOSE, KADM_VERSIZE);
bcopy((char *)&retcode, &pdat[KADM_VERSIZE], sizeof(u_long));
goto out;
} else if (!status) {
log("no service %s.%s",server_parm.sname, server_parm.sinst);
cleanexit(2);
}
bcopy((char *)&service.key_low, (char *)skey, 4);
bcopy((char *)&service.key_high, (char *)(((long *) skey) + 1), 4);
bzero((char *)&service, sizeof(service));
kdb_encrypt_key (skey, skey, server_parm.master_key,
server_parm.master_key_schedule, DECRYPT);
(void) krb_set_key((char *)skey, 0); /* if error, will show up when
rd_req fails */
bzero((char *)skey, sizeof(skey));
while (1) {
if ((retval = krb_net_read(fd, (char *)&dlen, sizeof(u_short))) !=
sizeof(u_short)) {
if (retval < 0)
log("dlen read: %s",error_message(errno));
else if (retval)
log("short dlen read: %d",retval);
(void) close(fd);
cleanexit(retval ? 3 : 0);
}
if (exit_now) {
cleanexit(0);
}
dat_len = (int) ntohs(dlen);
dat = (u_char *) malloc((unsigned)dat_len);
if (!dat) {
log("malloc: No memory");
(void) close(fd);
cleanexit(4);
}
if ((retval = krb_net_read(fd, (char *)dat, dat_len)) != dat_len) {
if (retval < 0)
log("data read: %s",error_message(errno));
else
log("short read: %d vs. %d", dat_len, retval);
(void) close(fd);
cleanexit(5);
}
if (exit_now) {
cleanexit(0);
}
if ((retval = kadm_ser_in(&dat,&dat_len)) != KADM_SUCCESS)
log("processing request: %s", error_message(retval));
/* kadm_ser_in did the processing and returned stuff in
dat & dat_len , return the appropriate data */
out:
dlen = (u_short) dat_len;
if (dat_len != (int)dlen) {
clear_secrets();
abort(); /* XXX */
}
dlen = htons(dlen);
if (krb_net_write(fd, (char *)&dlen, sizeof(u_short)) < 0) {
log("writing dlen to client: %s",error_message(errno));
(void) close(fd);
cleanexit(6);
}
if (krb_net_write(fd, (char *)dat, dat_len) < 0) {
log(LOG_ERR, "writing to client: %s",error_message(errno));
(void) close(fd);
cleanexit(7);
}
free((char *)dat);
}
/*NOTREACHED*/
}
sigtype
do_child()
{
/* SIGCHLD brings us here */
int pid;
register int i, j;
#ifdef POSIX
int status;
#else
union wait status;
#endif
pid = wait(&status);
for (i = 0; i < pidarraysize; i++)
if (pidarray[i] == pid) {
/* found it */
for (j = i; j < pidarraysize-1; j++)
/* copy others down */
pidarray[j] = pidarray[j+1];
pidarraysize--;
if (WEXITSTATUS(status) || WCOREDUMP(status) || WIFSIGNALED(status))
log("child %d: termsig %d, coredump %d, retcode %d", pid,
WTERMSIG(status), WCOREDUMP(status), WEXITSTATUS(status));
#ifdef POSIX
return;
#else /* !POSIX */
return(0);
#endif /* POSIX */
}
log("child %d not in list: termsig %d, coredump %d, retcode %d", pid,
WTERMSIG(status), WCOREDUMP(status), WEXITSTATUS(status));
#ifdef POSIX
return;
#else /* !POSIX */
return(0);
#endif /* POSIX */
}
#ifndef DEBUG
void
cleanexit(val)
int val;
{
kerb_fini();
clear_secrets();
exit(val);
}
#endif
void
kill_children()
{
register int i;
int osigmask;
osigmask = sigblock(sigmask(SIGCHLD));
for (i = 0; i < pidarraysize; i++) {
kill(pidarray[i], SIGINT);
log("killing child %d", pidarray[i]);
}
sigsetmask(osigmask);
return;
}
-381
View File
@@ -1,381 +0,0 @@
/*
* Copyright 1988 by the Massachusetts Institute of Technology.
*
* For copying and distribution information, please see the file
* Copyright.MIT
*
* Kerberos administration server-side database manipulation routines
*/
#if 0
#ifndef lint
static char rcsid_kadm_funcs_c[] =
"Id: kadm_funcs.c,v 4.3 90/03/20 01:39:51 jon Exp ";
static const char rcsid[] =
"$Id: kadm_funcs.c,v 1.1 1995/07/18 16:37:02 mark Exp $";
#endif lint
#endif
/*
kadm_funcs.c
the actual database manipulation code
*/
#include <stdio.h>
#include <string.h>
#include <com_err.h>
#include <sys/param.h>
#include <kadm.h>
#include <kadm_err.h>
#include <krb_db.h>
#include "kadm_server.h"
extern Kadm_Server server_parm;
int
check_access(pname, pinst, prealm, acltype)
char *pname;
char *pinst;
char *prealm;
enum acl_types acltype;
{
char checkname[MAX_K_NAME_SZ];
char filename[MAXPATHLEN];
extern char *acldir;
sprintf(checkname, "%s.%s@%s", pname, pinst, prealm);
switch (acltype) {
case ADDACL:
sprintf(filename, "%s%s", acldir, ADD_ACL_FILE);
break;
case GETACL:
sprintf(filename, "%s%s", acldir, GET_ACL_FILE);
break;
case MODACL:
sprintf(filename, "%s%s", acldir, MOD_ACL_FILE);
break;
}
return(acl_check(filename, checkname));
}
int
wildcard(str)
char *str;
{
if (!strcmp(str, WILDCARD_STR))
return(1);
return(0);
}
#define failadd(code) { (void) log("FAILED addding '%s.%s' (%s)", valsin->name, valsin->instance, error_message(code)); return code; }
int
kadm_add_entry (rname, rinstance, rrealm, valsin, valsout)
char *rname; /* requestors name */
char *rinstance; /* requestors instance */
char *rrealm; /* requestors realm */
Kadm_vals *valsin;
Kadm_vals *valsout;
{
long numfound; /* check how many we get written */
int more; /* pointer to more grabbed records */
Principal data_i, data_o; /* temporary principal */
u_char flags[4];
des_cblock newpw;
Principal default_princ;
if (!check_access(rname, rinstance, rrealm, ADDACL)) {
(void) log("WARNING: '%s.%s@%s' tried to add an entry for '%s.%s'",
rname, rinstance, rrealm, valsin->name, valsin->instance);
return KADM_UNAUTH;
}
/* Need to check here for "legal" name and instance */
if (wildcard(valsin->name) || wildcard(valsin->instance)) {
failadd(KADM_ILL_WILDCARD);
}
(void) log("request to add an entry for '%s.%s' from '%s.%s@%s'",
valsin->name, valsin->instance, rname, rinstance, rrealm);
numfound = kerb_get_principal(KERB_DEFAULT_NAME, KERB_DEFAULT_INST,
&default_princ, 1, &more);
if (numfound == -1) {
failadd(KADM_DB_INUSE);
} else if (numfound != 1) {
failadd(KADM_UK_RERROR);
}
kadm_vals_to_prin(valsin->fields, &data_i, valsin);
(void) strncpy(data_i.name, valsin->name, ANAME_SZ);
(void) strncpy(data_i.instance, valsin->instance, INST_SZ);
if (!IS_FIELD(KADM_EXPDATE,valsin->fields))
data_i.exp_date = default_princ.exp_date;
if (!IS_FIELD(KADM_ATTR,valsin->fields))
data_i.attributes = default_princ.attributes;
if (!IS_FIELD(KADM_MAXLIFE,valsin->fields))
data_i.max_life = default_princ.max_life;
bzero((char *)&default_princ, sizeof(default_princ));
/* convert to host order */
data_i.key_low = ntohl(data_i.key_low);
data_i.key_high = ntohl(data_i.key_high);
bcopy(&data_i.key_low,newpw,4);
bcopy(&data_i.key_high,(char *)(((long *) newpw) + 1),4);
/* encrypt new key in master key */
kdb_encrypt_key (newpw, newpw, server_parm.master_key,
server_parm.master_key_schedule, ENCRYPT);
bcopy(newpw,&data_i.key_low,4);
bcopy((char *)(((long *) newpw) + 1), &data_i.key_high,4);
bzero((char *)newpw, sizeof(newpw));
data_o = data_i;
numfound = kerb_get_principal(valsin->name, valsin->instance,
&data_o, 1, &more);
if (numfound == -1) {
failadd(KADM_DB_INUSE);
} else if (numfound) {
failadd(KADM_INUSE);
} else {
data_i.key_version++;
data_i.kdc_key_ver = server_parm.master_key_version;
(void) strncpy(data_i.mod_name, rname, sizeof(data_i.mod_name)-1);
(void) strncpy(data_i.mod_instance, rinstance,
sizeof(data_i.mod_instance)-1);
numfound = kerb_put_principal(&data_i, 1);
if (numfound == -1) {
failadd(KADM_DB_INUSE);
} else if (numfound) {
failadd(KADM_UK_SERROR);
} else {
numfound = kerb_get_principal(valsin->name, valsin->instance,
&data_o, 1, &more);
if ((numfound!=1) || (more!=0)) {
failadd(KADM_UK_RERROR);
}
bzero((char *)flags, sizeof(flags));
SET_FIELD(KADM_NAME,flags);
SET_FIELD(KADM_INST,flags);
SET_FIELD(KADM_EXPDATE,flags);
SET_FIELD(KADM_ATTR,flags);
SET_FIELD(KADM_MAXLIFE,flags);
kadm_prin_to_vals(flags, valsout, &data_o);
(void) log("'%s.%s' added.", valsin->name, valsin->instance);
return KADM_DATA; /* Set all the appropriate fields */
}
}
}
#undef failadd
#define failget(code) { (void) log("FAILED retrieving '%s.%s' (%s)", valsin->name, valsin->instance, error_message(code)); return code; }
int
kadm_get_entry (rname, rinstance, rrealm, valsin, flags, valsout)
char *rname; /* requestors name */
char *rinstance; /* requestors instance */
char *rrealm; /* requestors realm */
Kadm_vals *valsin; /* what they wannt to get */
u_char *flags; /* which fields we want */
Kadm_vals *valsout; /* what data is there */
{
long numfound; /* check how many were returned */
int more; /* To point to more name.instances */
Principal data_o; /* Data object to hold Principal */
if (!check_access(rname, rinstance, rrealm, GETACL)) {
(void) log("WARNING: '%s.%s@%s' tried to get '%s.%s's entry",
rname, rinstance, rrealm, valsin->name, valsin->instance);
return KADM_UNAUTH;
}
if (wildcard(valsin->name) || wildcard(valsin->instance)) {
failget(KADM_ILL_WILDCARD);
}
(void) log("retrieve '%s.%s's entry for '%s.%s@%s'",
valsin->name, valsin->instance, rname, rinstance, rrealm);
/* Look up the record in the database */
numfound = kerb_get_principal(valsin->name, valsin->instance,
&data_o, 1, &more);
if (numfound == -1) {
failget(KADM_DB_INUSE);
} else if (numfound) { /* We got the record, let's return it */
kadm_prin_to_vals(flags, valsout, &data_o);
(void) log("'%s.%s' retrieved.", valsin->name, valsin->instance);
return KADM_DATA; /* Set all the appropriate fields */
} else {
failget(KADM_NOENTRY); /* Else whimper and moan */
}
}
#undef failget
#define failmod(code) { (void) log("FAILED modifying '%s.%s' (%s)", valsin1->name, valsin1->instance, error_message(code)); return code; }
int
kadm_mod_entry (rname, rinstance, rrealm, valsin1, valsin2, valsout)
char *rname; /* requestors name */
char *rinstance; /* requestors instance */
char *rrealm; /* requestors realm */
Kadm_vals *valsin1, *valsin2; /* holds the parameters being
passed in */
Kadm_vals *valsout; /* the actual record which is returned */
{
long numfound;
int more;
Principal data_o, temp_key;
u_char fields[4];
des_cblock newpw;
if (wildcard(valsin1->name) || wildcard(valsin1->instance)) {
failmod(KADM_ILL_WILDCARD);
}
if (!check_access(rname, rinstance, rrealm, MODACL)) {
(void) log("WARNING: '%s.%s@%s' tried to change '%s.%s's entry",
rname, rinstance, rrealm, valsin1->name, valsin1->instance);
return KADM_UNAUTH;
}
(void) log("request to modify '%s.%s's entry from '%s.%s@%s' ",
valsin1->name, valsin1->instance, rname, rinstance, rrealm);
numfound = kerb_get_principal(valsin1->name, valsin1->instance,
&data_o, 1, &more);
if (numfound == -1) {
failmod(KADM_DB_INUSE);
} else if (numfound) {
kadm_vals_to_prin(valsin2->fields, &temp_key, valsin2);
(void) strncpy(data_o.name, valsin1->name, ANAME_SZ);
(void) strncpy(data_o.instance, valsin1->instance, INST_SZ);
if (IS_FIELD(KADM_EXPDATE,valsin2->fields))
data_o.exp_date = temp_key.exp_date;
if (IS_FIELD(KADM_ATTR,valsin2->fields))
data_o.attributes = temp_key.attributes;
if (IS_FIELD(KADM_MAXLIFE,valsin2->fields))
data_o.max_life = temp_key.max_life;
if (IS_FIELD(KADM_DESKEY,valsin2->fields)) {
data_o.key_version++;
data_o.kdc_key_ver = server_parm.master_key_version;
/* convert to host order */
temp_key.key_low = ntohl(temp_key.key_low);
temp_key.key_high = ntohl(temp_key.key_high);
bcopy(&temp_key.key_low,newpw,4);
bcopy(&temp_key.key_high,(char *)(((long *) newpw) + 1),4);
/* encrypt new key in master key */
kdb_encrypt_key (newpw, newpw, server_parm.master_key,
server_parm.master_key_schedule, ENCRYPT);
bcopy(newpw,&data_o.key_low,4);
bcopy((char *)(((long *) newpw) + 1), &data_o.key_high,4);
bzero((char *)newpw, sizeof(newpw));
}
bzero((char *)&temp_key, sizeof(temp_key));
(void) strncpy(data_o.mod_name, rname, sizeof(data_o.mod_name)-1);
(void) strncpy(data_o.mod_instance, rinstance,
sizeof(data_o.mod_instance)-1);
more = kerb_put_principal(&data_o, 1);
bzero((char *)&data_o, sizeof(data_o));
if (more == -1) {
failmod(KADM_DB_INUSE);
} else if (more) {
failmod(KADM_UK_SERROR);
} else {
numfound = kerb_get_principal(valsin1->name, valsin1->instance,
&data_o, 1, &more);
if ((more!=0)||(numfound!=1)) {
failmod(KADM_UK_RERROR);
}
bzero((char *) fields, sizeof(fields));
SET_FIELD(KADM_NAME,fields);
SET_FIELD(KADM_INST,fields);
SET_FIELD(KADM_EXPDATE,fields);
SET_FIELD(KADM_ATTR,fields);
SET_FIELD(KADM_MAXLIFE,fields);
kadm_prin_to_vals(fields, valsout, &data_o);
(void) log("'%s.%s' modified.", valsin1->name, valsin1->instance);
return KADM_DATA; /* Set all the appropriate fields */
}
}
else {
failmod(KADM_NOENTRY);
}
}
#undef failmod
#define failchange(code) { (void) log("FAILED changing key for '%s.%s@%s' (%s)", rname, rinstance, rrealm, error_message(code)); return code; }
int
kadm_change (rname, rinstance, rrealm, newpw)
char *rname;
char *rinstance;
char *rrealm;
des_cblock newpw;
{
long numfound;
int more;
Principal data_o;
des_cblock local_pw;
if (strcmp(server_parm.krbrlm, rrealm)) {
(void) log("change key request from wrong realm, '%s.%s@%s'!\n",
rname, rinstance, rrealm);
return(KADM_WRONG_REALM);
}
if (wildcard(rname) || wildcard(rinstance)) {
failchange(KADM_ILL_WILDCARD);
}
(void) log("'%s.%s@%s' wants to change its password",
rname, rinstance, rrealm);
bcopy(newpw, local_pw, sizeof(local_pw));
/* encrypt new key in master key */
kdb_encrypt_key (local_pw, local_pw, server_parm.master_key,
server_parm.master_key_schedule, ENCRYPT);
numfound = kerb_get_principal(rname, rinstance,
&data_o, 1, &more);
if (numfound == -1) {
failchange(KADM_DB_INUSE);
} else if (numfound) {
bcopy(local_pw,&data_o.key_low,4);
bcopy((char *)(((long *) local_pw) + 1), &data_o.key_high,4);
data_o.key_version++;
data_o.kdc_key_ver = server_parm.master_key_version;
(void) strncpy(data_o.mod_name, rname, sizeof(data_o.mod_name)-1);
(void) strncpy(data_o.mod_instance, rinstance,
sizeof(data_o.mod_instance)-1);
more = kerb_put_principal(&data_o, 1);
bzero((char *) local_pw, sizeof(local_pw));
bzero((char *) &data_o, sizeof(data_o));
if (more == -1) {
failchange(KADM_DB_INUSE);
} else if (more) {
failchange(KADM_UK_SERROR);
} else {
(void) log("'%s.%s@%s' password changed.", rname, rinstance, rrealm);
return KADM_SUCCESS;
}
}
else {
failchange(KADM_NOENTRY);
}
}
#undef failchange
-213
View File
@@ -1,213 +0,0 @@
/*
* Copyright 1988 by the Massachusetts Institute of Technology.
*
* For copying and distribution information, please see the file
* Copyright.MIT.
*
* Kerberos administration server-side support functions
*/
#if 0
#ifndef lint
static char rcsid_module_c[] =
"BonesHeader: /afs/athena.mit.edu/astaff/project/kerberos/src/kadmin/RCS/kadm_ser_wrap.c,v 4.4 89/09/26 09:29:36 jtkohl Exp ";
#endif lint
#endif
/*
kadm_ser_wrap.c
unwraps wrapped packets and calls the appropriate server subroutine
*/
#include <unistd.h>
#include <stdio.h>
#include <string.h>
#include <sys/types.h>
#include <netdb.h>
#include <sys/socket.h>
#include <kadm.h>
#include <kadm_err.h>
#include <krb_err.h>
#include "kadm_server.h"
Kadm_Server server_parm;
/*
kadm_ser_init
set up the server_parm structure
*/
int
kadm_ser_init(inter, realm)
int inter; /* interactive or from file */
char realm[];
{
struct servent *sep;
struct hostent *hp;
char hostname[MAXHOSTNAMELEN];
init_kadm_err_tbl();
init_krb_err_tbl();
if (gethostname(hostname, sizeof(hostname)))
return KADM_NO_HOSTNAME;
strcpy(server_parm.sname, PWSERV_NAME);
strcpy(server_parm.sinst, KRB_MASTER);
strcpy(server_parm.krbrlm, realm);
server_parm.admin_fd = -1;
/* setting up the addrs */
if ((sep = getservbyname(KADM_SNAME, "tcp")) == NULL)
return KADM_NO_SERV;
bzero((char *)&server_parm.admin_addr,sizeof(server_parm.admin_addr));
server_parm.admin_addr.sin_family = AF_INET;
if ((hp = gethostbyname(hostname)) == NULL)
return KADM_NO_HOSTNAME;
server_parm.admin_addr.sin_addr.s_addr = INADDR_ANY;
server_parm.admin_addr.sin_port = sep->s_port;
/* setting up the database */
if (kdb_get_master_key((inter==1),server_parm.master_key,
server_parm.master_key_schedule) != 0)
return KADM_NO_MAST;
if ((server_parm.master_key_version =
kdb_verify_master_key(server_parm.master_key,
server_parm.master_key_schedule,stderr))<0)
return KADM_NO_VERI;
return KADM_SUCCESS;
}
static void
errpkt(dat, dat_len, code)
u_char **dat;
int *dat_len;
int code;
{
u_long retcode;
char *pdat;
free((char *)*dat); /* free up req */
*dat_len = KADM_VERSIZE + sizeof(u_long);
*dat = (u_char *) malloc((unsigned)*dat_len);
pdat = (char *) *dat;
retcode = htonl((u_long) code);
(void) strncpy(pdat, KADM_ULOSE, KADM_VERSIZE);
bcopy((char *)&retcode, &pdat[KADM_VERSIZE], sizeof(u_long));
return;
}
/*
kadm_ser_in
unwrap the data stored in dat, process, and return it.
*/
int
kadm_ser_in(dat,dat_len)
u_char **dat;
int *dat_len;
{
u_char *in_st; /* pointer into the sent packet */
int in_len,retc; /* where in packet we are, for
returns */
u_long r_len; /* length of the actual packet */
KTEXT_ST authent; /* the authenticator */
AUTH_DAT ad; /* who is this, klink */
u_long ncksum; /* checksum of encrypted data */
des_key_schedule sess_sched; /* our schedule */
MSG_DAT msg_st;
u_char *retdat, *tmpdat;
int retval, retlen;
if (strncmp(KADM_VERSTR, (char *)*dat, KADM_VERSIZE)) {
errpkt(dat, dat_len, KADM_BAD_VER);
return KADM_BAD_VER;
}
in_len = KADM_VERSIZE;
/* get the length */
if ((retc = stv_long(*dat, &r_len, in_len, *dat_len)) < 0)
return KADM_LENGTH_ERROR;
in_len += retc;
authent.length = *dat_len - r_len - KADM_VERSIZE - sizeof(u_long);
bcopy((char *)(*dat) + in_len, (char *)authent.dat, authent.length);
authent.mbz = 0;
/* service key should be set before here */
if ((retc = krb_rd_req(&authent, server_parm.sname, server_parm.sinst,
server_parm.recv_addr.sin_addr.s_addr, &ad, (char *)0)))
{
errpkt(dat, dat_len,retc + krb_err_base);
return retc + krb_err_base;
}
#define clr_cli_secrets() {bzero((char *)sess_sched, sizeof(sess_sched)); bzero((char *)ad.session, sizeof(ad.session));}
in_st = *dat + *dat_len - r_len;
#ifdef NOENCRYPTION
ncksum = 0;
#else
ncksum = quad_cksum((des_cblock *)in_st, (des_cblock *)0, (long) r_len,
0, (des_cblock *)ad.session);
#endif
if (ncksum!=ad.checksum) { /* yow, are we correct yet */
clr_cli_secrets();
errpkt(dat, dat_len,KADM_BAD_CHK);
return KADM_BAD_CHK;
}
#ifdef NOENCRYPTION
bzero(sess_sched, sizeof(sess_sched));
#else
des_key_sched((des_cblock *)ad.session, sess_sched);
#endif
if ((retc = (int) krb_rd_priv(in_st, r_len, sess_sched, ad.session,
&server_parm.recv_addr,
&server_parm.admin_addr, &msg_st))) {
clr_cli_secrets();
errpkt(dat, dat_len,retc + krb_err_base);
return retc + krb_err_base;
}
switch (msg_st.app_data[0]) {
case CHANGE_PW:
retval = kadm_ser_cpw(msg_st.app_data+1,(int) msg_st.app_length,&ad,
&retdat, &retlen);
break;
case ADD_ENT:
retval = kadm_ser_add(msg_st.app_data+1,(int) msg_st.app_length,&ad,
&retdat, &retlen);
break;
case GET_ENT:
retval = kadm_ser_get(msg_st.app_data+1,(int) msg_st.app_length,&ad,
&retdat, &retlen);
break;
case MOD_ENT:
retval = kadm_ser_mod(msg_st.app_data+1,(int) msg_st.app_length,&ad,
&retdat, &retlen);
break;
default:
clr_cli_secrets();
errpkt(dat, dat_len, KADM_NO_OPCODE);
return KADM_NO_OPCODE;
}
/* Now seal the response back into a priv msg */
free((char *)*dat);
tmpdat = (u_char *) malloc((unsigned)(retlen + KADM_VERSIZE +
sizeof(u_long)));
(void) strncpy((char *)tmpdat, KADM_VERSTR, KADM_VERSIZE);
retval = htonl((u_long)retval);
bcopy((char *)&retval, (char *)tmpdat + KADM_VERSIZE, sizeof(u_long));
if (retlen) {
bcopy((char *)retdat, (char *)tmpdat + KADM_VERSIZE + sizeof(u_long),
retlen);
free((char *)retdat);
}
/* slop for mk_priv stuff */
*dat = (u_char *) malloc((unsigned) (retlen + KADM_VERSIZE +
sizeof(u_long) + 200));
if ((*dat_len = krb_mk_priv(tmpdat, *dat,
(u_long) (retlen + KADM_VERSIZE +
sizeof(u_long)),
sess_sched,
ad.session, &server_parm.admin_addr,
&server_parm.recv_addr)) < 0) {
clr_cli_secrets();
errpkt(dat, dat_len, KADM_NO_ENCRYPT);
return KADM_NO_ENCRYPT;
}
clr_cli_secrets();
return KADM_SUCCESS;
}
-167
View File
@@ -1,167 +0,0 @@
/*
* Copyright 1988 by the Massachusetts Institute of Technology.
*
* For copying and distribution information, please see the file
* Copyright.MIT.
*
* Kerberos administration server-side subroutines
*/
#if 0
#ifndef lint
static char rcsid_kadm_server_c[] =
"Header: /afs/athena.mit.edu/astaff/project/kerberos/src/kadmin/RCS/kadm_server.c,v 4.2 89/09/26 09:30:23 jtkohl Exp ";
#endif lint
#endif
#include <string.h>
#include <kadm.h>
#include <kadm_err.h>
#include "kadm_server.h"
/*
kadm_ser_cpw - the server side of the change_password routine
recieves : KTEXT, {key}
returns : CKSUM, RETCODE
acl : caller can change only own password
Replaces the password (i.e. des key) of the caller with that specified in key.
Returns no actual data from the master server, since this is called by a user
*/
int
kadm_ser_cpw(dat, len, ad, datout, outlen)
u_char *dat;
int len;
AUTH_DAT *ad;
u_char **datout;
int *outlen;
{
unsigned long keylow, keyhigh;
des_cblock newkey;
int stvlen;
/* take key off the stream, and change the database */
if ((stvlen = stv_long(dat, &keyhigh, 0, len)) < 0)
return(KADM_LENGTH_ERROR);
if (stv_long(dat, &keylow, stvlen, len) < 0)
return(KADM_LENGTH_ERROR);
keylow = ntohl(keylow);
keyhigh = ntohl(keyhigh);
bcopy((char *)&keyhigh, (char *)(((long *)newkey) + 1), 4);
bcopy((char *)&keylow, (char *)newkey, 4);
*datout = 0;
*outlen = 0;
return(kadm_change(ad->pname, ad->pinst, ad->prealm, newkey));
}
/*
kadm_ser_add - the server side of the add_entry routine
recieves : KTEXT, {values}
returns : CKSUM, RETCODE, {values}
acl : su, sms (as alloc)
Adds and entry containing values to the database
returns the values of the entry, so if you leave certain fields blank you will
be able to determine the default values they are set to
*/
int
kadm_ser_add(dat,len,ad, datout, outlen)
u_char *dat;
int len;
AUTH_DAT *ad;
u_char **datout;
int *outlen;
{
Kadm_vals values, retvals;
int status;
if ((status = stream_to_vals(dat, &values, len)) < 0)
return(KADM_LENGTH_ERROR);
if ((status = kadm_add_entry(ad->pname, ad->pinst, ad->prealm,
&values, &retvals)) == KADM_DATA) {
*outlen = vals_to_stream(&retvals,datout);
return KADM_SUCCESS;
} else {
*outlen = 0;
return status;
}
}
/*
kadm_ser_mod - the server side of the mod_entry routine
recieves : KTEXT, {values, values}
returns : CKSUM, RETCODE, {values}
acl : su, sms (as register or dealloc)
Modifies all entries corresponding to the first values so they match the
second values.
returns the values for the changed entries
*/
int
kadm_ser_mod(dat,len,ad, datout, outlen)
u_char *dat;
int len;
AUTH_DAT *ad;
u_char **datout;
int *outlen;
{
Kadm_vals vals1, vals2, retvals;
int wh;
int status;
if ((wh = stream_to_vals(dat, &vals1, len)) < 0)
return KADM_LENGTH_ERROR;
if ((status = stream_to_vals(dat+wh,&vals2, len-wh)) < 0)
return KADM_LENGTH_ERROR;
if ((status = kadm_mod_entry(ad->pname, ad->pinst, ad->prealm, &vals1,
&vals2, &retvals)) == KADM_DATA) {
*outlen = vals_to_stream(&retvals,datout);
return KADM_SUCCESS;
} else {
*outlen = 0;
return status;
}
}
/*
kadm_ser_get
recieves : KTEXT, {values, flags}
returns : CKSUM, RETCODE, {count, values, values, values}
acl : su
gets the fields requested by flags from all entries matching values
returns this data for each matching recipient, after a count of how many such
matches there were
*/
int
kadm_ser_get(dat,len,ad, datout, outlen)
u_char *dat;
int len;
AUTH_DAT *ad;
u_char **datout;
int *outlen;
{
Kadm_vals values, retvals;
u_char fl[FLDSZ];
int loop,wh;
int status;
if ((wh = stream_to_vals(dat, &values, len)) < 0)
return KADM_LENGTH_ERROR;
if (wh + FLDSZ > len)
return KADM_LENGTH_ERROR;
for (loop=FLDSZ-1; loop>=0; loop--)
fl[loop] = dat[wh++];
if ((status = kadm_get_entry(ad->pname, ad->pinst, ad->prealm,
&values, fl, &retvals)) == KADM_DATA) {
*outlen = vals_to_stream(&retvals,datout);
return KADM_SUCCESS;
} else {
*outlen = 0;
return status;
}
}
-70
View File
@@ -1,70 +0,0 @@
/*
* $Source: /usr/cvs/src/eBones/kadmind/kadm_server.h,v $
* $Author: mark $
* Header: /afs/athena.mit.edu/astaff/project/kerberos/src/kadmin/RCS/kadm_server.h,v 4.1 89/12/21 17:46:51 jtkohl Exp
*
* Copyright 1988 by the Massachusetts Institute of Technology.
*
* For copying and distribution information, please see the file
* Copyright.MIT.
*
* Definitions for Kerberos administration server & client
*/
#ifndef KADM_SERVER_DEFS
#define KADM_SERVER_DEFS
/*
* kadm_server.h
* Header file for the fourth attempt at an admin server
* Doug Church, December 28, 1989, MIT Project Athena
* ps. Yes that means this code belongs to athena etc...
* as part of our ongoing attempt to copyright all greek names
*/
#include <sys/types.h>
#include <krb.h>
#include <des.h>
typedef struct {
struct sockaddr_in admin_addr;
struct sockaddr_in recv_addr;
int recv_addr_len;
int admin_fd; /* our link to clients */
char sname[ANAME_SZ];
char sinst[INST_SZ];
char krbrlm[REALM_SZ];
C_Block master_key;
C_Block session_key;
Key_schedule master_key_schedule;
long master_key_version;
} Kadm_Server;
/* the default syslog file */
#define KADM_SYSLOG "/var/log/kadmind.syslog"
#define DEFAULT_ACL_DIR "/etc/kerberosIV"
#define ADD_ACL_FILE "/admin_acl.add"
#define GET_ACL_FILE "/admin_acl.get"
#define MOD_ACL_FILE "/admin_acl.mod"
int kadm_ser_in(unsigned char **dat, int *dat_len);
int kadm_ser_init(int inter, char realm[]);
int kadm_ser_cpw(u_char *dat, int len, AUTH_DAT *ad, u_char **datout,
int *outlen);
int kadm_ser_add(u_char *dat, int len, AUTH_DAT *ad, u_char **datout,
int *outlen);
int kadm_ser_mod(u_char *dat, int len, AUTH_DAT *ad, u_char **datout,
int *outlen);
int kadm_ser_get(u_char *dat, int len, AUTH_DAT *ad, u_char **datout,
int *outlen);
int kadm_change (char *rname, char *rinstance, char *rrealm,
des_cblock newpw);
int kadm_add_entry(char *rname, char *rinstance, char *rrealm,
Kadm_vals *valsin, Kadm_vals *valsout);
int kadm_mod_entry(char *rname, char *rinstance, char *rrealm,
Kadm_vals *valsin1, Kadm_vals *valsin2, Kadm_vals *valsout);
int kadm_get_entry(char *rname, char *rinstance, char *rrealm,
Kadm_vals *valsin, u_char *flags, Kadm_vals *valsout);
#endif KADM_SERVER_DEFS
-117
View File
@@ -1,117 +0,0 @@
.\" from: kadmind.8,v 4.1 89/07/25 17:28:33 jtkohl Exp $
.\" $Id: kadmind.8,v 1.1.1.1 1994/09/30 14:50:06 csgr Exp $
.\" Copyright 1989 by the Massachusetts Institute of Technology.
.\"
.\" For copying and distribution information,
.\" please see the file <Copyright.MIT>.
.\"
.TH KADMIND 8 "Kerberos Version 4.0" "MIT Project Athena"
.SH NAME
kadmind \- network daemon for Kerberos database administration
.SH SYNOPSIS
.B kadmind
[
.B \-n
] [
.B \-h
] [
.B \-r realm
] [
.B \-f filename
] [
.B \-d dbname
] [
.B \-a acldir
]
.SH DESCRIPTION
.I kadmind
is the network database server for the Kerberos password-changing and
administration tools.
.PP
Upon execution, it prompts the user to enter the master key string for
the database.
.PP
If the
.B \-n
option is specified, the master key is instead fetched from the master
key cache file.
.PP
If the
.B \-r
.I realm
option is specified, the admin server will pretend that its
local realm is
.I realm
instead of the actual local realm of the host it is running on.
This makes it possible to run a server for a foreign kerberos
realm.
.PP
If the
.B \-f
.I filename
option is specified, then that file is used to hold the log information
instead of the default.
.PP
If the
.B \-d
.I dbname
option is specified, then that file is used as the database name instead
of the default.
.PP
If the
.B \-a
.I acldir
option is specified, then
.I acldir
is used as the directory in which to search for access control lists
instead of the default.
.PP
If the
.B \-h
option is specified,
.I kadmind
prints out a short summary of the permissible control arguments, and
then exits.
.PP
When performing requests on behalf of clients,
.I kadmind
checks access control lists (ACLs) to determine the authorization of the client
to perform the requested action.
Currently three distinct access types are supported:
.TP 1i
Addition
(.add ACL file). If a principal is on this list, it may add new
principals to the database.
.TP
Retrieval
(.get ACL file). If a principal is on this list, it may retrieve
database entries. NOTE: A principal's private key is never returned by
the get functions.
.TP
Modification
(.mod ACL file). If a principal is on this list, it may modify entries
in the database.
.PP
A principal is always granted authorization to change its own password.
.SH FILES
.TP 20n
/var/log/kadmind.syslog
Default log file.
.TP
/etc/kerberosIV/admin_acl.{add,get,mod}
Access control list files
.TP
/etc/kerberosIV/principal.db
DBM file containing database
.TP
/etc/kerberosIV/principal.ok
Semaphore indicating that the DBM database is not being modified.
.TP
/etc/kerberosIV/master_key
Master key cache file.
.SH "SEE ALSO"
kerberos(1), kpasswd(1), kadmin(8), acl_check(3)
.SH AUTHORS
Douglas A. Church, MIT Project Athena
.br
John T. Kohl, Project Athena/Digital Equipment Corporation
-11
View File
@@ -1,11 +0,0 @@
# From: @(#)Makefile 5.1 (Berkeley) 6/25/90
# $Id: Makefile,v 1.4 1995/07/18 16:37:10 mark Exp $
SHLIB_MAJOR= 2
SHLIB_MINOR= 0
LIB= kdb
CFLAGS+=-DKERBEROS -DDEBUG -I${.CURDIR}/../include -Wall
SRCS= krb_cache.c krb_dbm.c krb_kdb_utils.c krb_lib.c print_princ.c
.include <bsd.lib.mk>
-181
View File
@@ -1,181 +0,0 @@
/*
* Copyright 1988 by the Massachusetts Institute of Technology.
* For copying and distribution information, please see the file
* <Copyright.MIT>.
*
* This is where a cache would be implemented, if it were necessary.
*
* from: krb_cache.c,v 4.5 89/01/24 18:12:34 jon Exp $
* $Id: krb_cache.c,v 1.3 1995/07/18 16:37:12 mark Exp $
*/
#if 0
#ifndef lint
static char rcsid[] =
"$Id: krb_cache.c,v 1.3 1995/07/18 16:37:12 mark Exp $";
#endif lint
#endif
#include <stdio.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <sys/uio.h>
#include <sys/time.h>
#include <sys/resource.h>
#include <strings.h>
#include <des.h>
#include <krb.h>
#include <krb_db.h>
#ifdef DEBUG
extern int debug;
extern long kerb_debug;
#endif
static init = 0;
/*
* initialization routine for cache
*/
int
kerb_cache_init()
{
init = 1;
return (0);
}
/*
* look up a principal in the cache returns number of principals found
*/
int
kerb_cache_get_principal(serv, inst, principal, max)
char *serv; /* could have wild card */
char *inst; /* could have wild card */
Principal *principal;
unsigned int max; /* max number of name structs to return */
{
int found = 0;
if (!init)
kerb_cache_init();
#ifdef DEBUG
if (kerb_debug & 2) {
fprintf(stderr, "cache_get_principal for %s %s max = %d\n",
serv, inst, max);
if (found) {
fprintf(stderr, "cache get %s %s found %s %s\n",
serv, inst, principal->name, principal->instance);
} else {
fprintf(stderr, "cache %s %s not found\n", serv,
inst);
}
}
#endif
return (found);
}
/*
* insert/replace a principal in the cache returns number of principals
* inserted
*/
int
kerb_cache_put_principal(principal, max)
Principal *principal;
unsigned int max; /* max number of principal structs to
* insert */
{
u_long i;
int count = 0;
if (!init)
kerb_cache_init();
#ifdef DEBUG
if (kerb_debug & 2) {
fprintf(stderr, "kerb_cache_put_principal max = %d",
max);
}
#endif
for (i = 0; i < max; i++) {
#ifdef DEBUG
if (kerb_debug & 2)
fprintf(stderr, "\n %s %s",
principal->name, principal->instance);
#endif
/* DO IT */
count++;
principal++;
}
return count;
}
/*
* look up a dba in the cache returns number of dbas found
*/
int
kerb_cache_get_dba(serv, inst, dba, max)
char *serv; /* could have wild card */
char *inst; /* could have wild card */
Dba *dba;
unsigned int max; /* max number of name structs to return */
{
int found = 0;
if (!init)
kerb_cache_init();
#ifdef DEBUG
if (kerb_debug & 2) {
fprintf(stderr, "cache_get_dba for %s %s max = %d\n",
serv, inst, max);
if (found) {
fprintf(stderr, "cache get %s %s found %s %s\n",
serv, inst, dba->name, dba->instance);
} else {
fprintf(stderr, "cache %s %s not found\n", serv, inst);
}
}
#endif
return (found);
}
/*
* insert/replace a dba in the cache returns number of dbas inserted
*/
int
kerb_cache_put_dba(dba, max)
Dba *dba;
unsigned int max; /* max number of dba structs to insert */
{
u_long i;
int count = 0;
if (!init)
kerb_cache_init();
#ifdef DEBUG
if (kerb_debug & 2) {
fprintf(stderr, "kerb_cache_put_dba max = %d", max);
}
#endif
for (i = 0; i < max; i++) {
#ifdef DEBUG
if (kerb_debug & 2)
fprintf(stderr, "\n %s %s",
dba->name, dba->instance);
#endif
/* DO IT */
count++;
dba++;
}
return count;
}
-1
View File
@@ -1 +0,0 @@
This file is now obsolete.
-789
View File
@@ -1,789 +0,0 @@
/*
* Copyright 1988 by the Massachusetts Institute of Technology.
* For copying and distribution information, please see the file
* <Copyright.MIT>.
*
* from: krb_dbm.c,v 4.9 89/04/18 16:15:13 wesommer Exp $
* $Id: krb_dbm.c,v 1.4 1995/08/03 17:15:42 mark Exp $
*/
#if 0
#ifndef lint
static char rcsid[] =
"$Id: krb_dbm.c,v 1.4 1995/08/03 17:15:42 mark Exp $";
#endif lint
#endif
#if defined(__FreeBSD__) || defined(__NetBSD__)
#define _NDBM_
#endif
#if defined(__FreeBSD__) || defined(__NetBSD__)
#define _DBM_
#endif
#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <sys/uio.h>
#include <sys/time.h>
#include <sys/stat.h>
#include <sys/resource.h>
#include <sys/errno.h>
#include <strings.h>
#include <des.h>
#include <sys/file.h>
#ifdef _NDBM_
#include <ndbm.h>
#else /*_NDBM_*/
#include <dbm.h>
#endif /*_NDBM_*/
/* before krb_db.h */
#include <krb.h>
#include <krb_db.h>
#ifdef dbm_pagfno
#define DB
#endif
#define KERB_DB_MAX_RETRY 5
#ifdef DEBUG
extern int debug;
extern long kerb_debug;
extern char *progname;
#endif
static init = 0;
static char default_db_name[] = DBM_FILE;
static char *current_db_name = default_db_name;
static void encode_princ_key(datum *key, char *name, char *instance);
static void decode_princ_key(datum *key, char *name, char *instance);
static void encode_princ_contents(datum *contents, Principal *principal);
static void decode_princ_contents(datum *contents, Principal *principal);
static void kerb_dbl_fini(void);
static int kerb_dbl_lock(int mode);
static void kerb_dbl_unlock(void);
static long kerb_start_update(char *db_name);
static long kerb_end_update(char *db_name, long age);
static struct timeval timestamp;/* current time of request */
static int non_blocking = 0;
/*
* This module contains all of the code which directly interfaces to
* the underlying representation of the Kerberos database; this
* implementation uses a DBM or NDBM indexed "file" (actually
* implemented as two separate files) to store the relations, plus a
* third file as a semaphore to allow the database to be replaced out
* from underneath the KDC server.
*/
/*
* Locking:
*
* There are two distinct locking protocols used. One is designed to
* lock against processes (the admin_server, for one) which make
* incremental changes to the database; the other is designed to lock
* against utilities (kdb_util, kpropd) which replace the entire
* database in one fell swoop.
*
* The first locking protocol is implemented using flock() in the
* krb_dbl_lock() and krb_dbl_unlock routines.
*
* The second locking protocol is necessary because DBM "files" are
* actually implemented as two separate files, and it is impossible to
* atomically rename two files simultaneously. It assumes that the
* database is replaced only very infrequently in comparison to the time
* needed to do a database read operation.
*
* A third file is used as a "version" semaphore; the modification
* time of this file is the "version number" of the database.
* At the start of a read operation, the reader checks the version
* number; at the end of the read operation, it checks again. If the
* version number changed, or if the semaphore was nonexistant at
* either time, the reader sleeps for a second to let things
* stabilize, and then tries again; if it does not succeed after
* KERB_DB_MAX_RETRY attempts, it gives up.
*
* On update, the semaphore file is deleted (if it exists) before any
* update takes place; at the end of the update, it is replaced, with
* a version number strictly greater than the version number which
* existed at the start of the update.
*
* If the system crashes in the middle of an update, the semaphore
* file is not automatically created on reboot; this is a feature, not
* a bug, since the database may be inconsistant. Note that the
* absence of a semaphore file does not prevent another _update_ from
* taking place later. Database replacements take place automatically
* only on slave servers; a crash in the middle of an update will be
* fixed by the next slave propagation. A crash in the middle of an
* update on the master would be somewhat more serious, but this would
* likely be noticed by an administrator, who could fix the problem and
* retry the operation.
*/
/* Macros to convert ndbm names to dbm names.
* Note that dbm_nextkey() cannot be simply converted using a macro, since
* it is invoked giving the database, and nextkey() needs the previous key.
*
* Instead, all routines call "dbm_next" instead.
*/
#ifndef _NDBM_
typedef char DBM;
#define dbm_open(file, flags, mode) ((dbminit(file) == 0)?"":((char *)0))
#define dbm_fetch(db, key) fetch(key)
#define dbm_store(db, key, content, flag) store(key, content)
#define dbm_firstkey(db) firstkey()
#define dbm_next(db,key) nextkey(key)
#define dbm_close(db) dbmclose()
#else
#define dbm_next(db,key) dbm_nextkey(db)
#endif
/*
* Utility routine: generate name of database file.
*/
static char *gen_dbsuffix(db_name, sfx)
char *db_name;
char *sfx;
{
char *dbsuffix;
if (sfx == NULL)
sfx = ".ok";
dbsuffix = malloc (strlen(db_name) + strlen(sfx) + 1);
strcpy(dbsuffix, db_name);
strcat(dbsuffix, sfx);
return dbsuffix;
}
/*
* initialization for data base routines.
*/
int
kerb_db_init()
{
init = 1;
return (0);
}
/*
* gracefully shut down database--must be called by ANY program that does
* a kerb_db_init
*/
void
kerb_db_fini()
{
}
/*
* Set the "name" of the current database to some alternate value.
*
* Passing a null pointer as "name" will set back to the default.
* If the alternate database doesn't exist, nothing is changed.
*/
int
kerb_db_set_name(name)
char *name;
{
DBM *db;
if (name == NULL)
name = default_db_name;
db = dbm_open(name, 0, 0);
if (db == NULL)
return errno;
dbm_close(db);
kerb_dbl_fini();
current_db_name = name;
return 0;
}
/*
* Return the last modification time of the database.
*/
long
kerb_get_db_age()
{
struct stat st;
char *okname;
long age;
okname = gen_dbsuffix(current_db_name, ".ok");
if (stat (okname, &st) < 0)
age = 0;
else
age = st.st_mtime;
free (okname);
return age;
}
/*
* Remove the semaphore file; indicates that database is currently
* under renovation.
*
* This is only for use when moving the database out from underneath
* the server (for example, during slave updates).
*/
static long
kerb_start_update(db_name)
char *db_name;
{
char *okname = gen_dbsuffix(db_name, ".ok");
long age = kerb_get_db_age();
if (unlink(okname) < 0
&& errno != ENOENT) {
age = -1;
}
free (okname);
return age;
}
static long
kerb_end_update(db_name, age)
char *db_name;
long age;
{
int fd;
int retval = 0;
char *new_okname = gen_dbsuffix(db_name, ".ok#");
char *okname = gen_dbsuffix(db_name, ".ok");
fd = open (new_okname, O_CREAT|O_RDWR|O_TRUNC, 0600);
if (fd < 0)
retval = errno;
else {
struct stat st;
struct timeval tv[2];
/* make sure that semaphore is "after" previous value. */
if (fstat (fd, &st) == 0
&& st.st_mtime <= age) {
tv[0].tv_sec = st.st_atime;
tv[0].tv_usec = 0;
tv[1].tv_sec = age;
tv[1].tv_usec = 0;
/* set times.. */
utimes (new_okname, tv);
fsync(fd);
}
close(fd);
if (rename (new_okname, okname) < 0)
retval = errno;
}
free (new_okname);
free (okname);
return retval;
}
static long
kerb_start_read()
{
return kerb_get_db_age();
}
static long
kerb_end_read(age)
u_long age;
{
if (kerb_get_db_age() != age || age == -1) {
return -1;
}
return 0;
}
/*
* Create the database, assuming it's not there.
*/
int
kerb_db_create(db_name)
char *db_name;
{
char *okname = gen_dbsuffix(db_name, ".ok");
int fd;
register int ret = 0;
#ifdef _NDBM_
DBM *db;
db = dbm_open(db_name, O_RDWR|O_CREAT|O_EXCL, 0600);
if (db == NULL)
ret = errno;
else
dbm_close(db);
#else
char *dirname = gen_dbsuffix(db_name, ".dir");
char *pagname = gen_dbsuffix(db_name, ".pag");
fd = open(dirname, O_RDWR|O_CREAT|O_EXCL, 0600);
if (fd < 0)
ret = errno;
else {
close(fd);
fd = open (pagname, O_RDWR|O_CREAT|O_EXCL, 0600);
if (fd < 0)
ret = errno;
else
close(fd);
}
if (dbminit(db_name) < 0)
ret = errno;
#endif
if (ret == 0) {
fd = open (okname, O_CREAT|O_RDWR|O_TRUNC, 0600);
if (fd < 0)
ret = errno;
close(fd);
}
return ret;
}
/*
* "Atomically" rename the database in a way that locks out read
* access in the middle of the rename.
*
* Not perfect; if we crash in the middle of an update, we don't
* necessarily know to complete the transaction the rename, but...
*/
int
kerb_db_rename(from, to)
char *from;
char *to;
{
#ifdef _DBM_
char *fromdb = gen_dbsuffix (from, ".db");
char *todb = gen_dbsuffix (to, ".db");
#else
char *fromdir = gen_dbsuffix (from, ".dir");
char *todir = gen_dbsuffix (to, ".dir");
char *frompag = gen_dbsuffix (from , ".pag");
char *topag = gen_dbsuffix (to, ".pag");
#endif
char *fromok = gen_dbsuffix(from, ".ok");
long trans = kerb_start_update(to);
int ok = 0;
#ifdef _DBM_
if (rename (fromdb, todb) == 0) {
#else
if ((rename (fromdir, todir) == 0)
&& (rename (frompag, topag) == 0)) {
#endif
(void) unlink (fromok);
ok = 1;
}
free (fromok);
#ifdef _DBM_
free (fromdb);
free (todb);
#else
free (fromdir);
free (todir);
free (frompag);
free (topag);
#endif
if (ok)
return kerb_end_update(to, trans);
else
return -1;
}
/*
* look up a principal in the data base returns number of principals
* found , and whether there were more than requested.
*/
int
kerb_db_get_principal(name, inst, principal, max, more)
char *name; /* could have wild card */
char *inst; /* could have wild card */
Principal *principal;
unsigned int max; /* max number of name structs to return */
int *more; /* where there more than 'max' tuples? */
{
int found = 0, code;
extern int errorproc();
int wildp, wildi;
datum key, contents;
char testname[ANAME_SZ], testinst[INST_SZ];
u_long trans;
int try;
DBM *db;
if (!init)
kerb_db_init(); /* initialize database routines */
for (try = 0; try < KERB_DB_MAX_RETRY; try++) {
trans = kerb_start_read();
if ((code = kerb_dbl_lock(KERB_DBL_SHARED)) != 0)
return -1;
db = dbm_open(current_db_name, O_RDONLY, 0600);
*more = 0;
#ifdef DEBUG
if (kerb_debug & 2)
fprintf(stderr,
"%s: db_get_principal for %s %s max = %d",
progname, name, inst, max);
#endif
wildp = !strcmp(name, "*");
wildi = !strcmp(inst, "*");
if (!wildi && !wildp) { /* nothing's wild */
encode_princ_key(&key, name, inst);
contents = dbm_fetch(db, key);
if (contents.dptr == NULL) {
found = 0;
goto done;
}
decode_princ_contents(&contents, principal);
#ifdef DEBUG
if (kerb_debug & 1) {
fprintf(stderr, "\t found %s %s p_n length %d t_n length %d\n",
principal->name, principal->instance,
strlen(principal->name),
strlen(principal->instance));
}
#endif
found = 1;
goto done;
}
/* process wild cards by looping through entire database */
for (key = dbm_firstkey(db); key.dptr != NULL;
key = dbm_next(db, key)) {
decode_princ_key(&key, testname, testinst);
if ((wildp || !strcmp(testname, name)) &&
(wildi || !strcmp(testinst, inst))) { /* have a match */
if (found >= max) {
*more = 1;
goto done;
} else {
found++;
contents = dbm_fetch(db, key);
decode_princ_contents(&contents, principal);
#ifdef DEBUG
if (kerb_debug & 1) {
fprintf(stderr,
"\tfound %s %s p_n length %d t_n length %d\n",
principal->name, principal->instance,
strlen(principal->name),
strlen(principal->instance));
}
#endif
principal++; /* point to next */
}
}
}
done:
kerb_dbl_unlock(); /* unlock read lock */
dbm_close(db);
if (kerb_end_read(trans) == 0)
break;
found = -1;
if (!non_blocking)
sleep(1);
}
return (found);
}
/*
* Update a name in the data base. Returns number of names
* successfully updated.
*/
int
kerb_db_put_principal(principal, max)
Principal *principal;
unsigned int max; /* number of principal structs to
* update */
{
int found = 0, code;
u_long i;
extern int errorproc();
datum key, contents;
DBM *db;
gettimeofday(&timestamp, NULL);
if (!init)
kerb_db_init();
if ((code = kerb_dbl_lock(KERB_DBL_EXCLUSIVE)) != 0)
return -1;
db = dbm_open(current_db_name, O_RDWR, 0600);
#ifdef DEBUG
if (kerb_debug & 2)
fprintf(stderr, "%s: kerb_db_put_principal max = %d",
progname, max);
#endif
/* for each one, stuff temps, and do replace/append */
for (i = 0; i < max; i++) {
encode_princ_contents(&contents, principal);
encode_princ_key(&key, principal->name, principal->instance);
dbm_store(db, key, contents, DBM_REPLACE);
#ifdef DEBUG
if (kerb_debug & 1) {
fprintf(stderr, "\n put %s %s\n",
principal->name, principal->instance);
}
#endif
found++;
principal++; /* bump to next struct */
}
dbm_close(db);
kerb_dbl_unlock(); /* unlock database */
return (found);
}
static void
encode_princ_key(key, name, instance)
datum *key;
char *name, *instance;
{
static char keystring[ANAME_SZ + INST_SZ];
bzero(keystring, ANAME_SZ + INST_SZ);
strncpy(keystring, name, ANAME_SZ);
strncpy(&keystring[ANAME_SZ], instance, INST_SZ);
key->dptr = keystring;
key->dsize = ANAME_SZ + INST_SZ;
}
static void
decode_princ_key(key, name, instance)
datum *key;
char *name, *instance;
{
strncpy(name, key->dptr, ANAME_SZ);
strncpy(instance, key->dptr + ANAME_SZ, INST_SZ);
name[ANAME_SZ - 1] = '\0';
instance[INST_SZ - 1] = '\0';
}
static void
encode_princ_contents(contents, principal)
datum *contents;
Principal *principal;
{
contents->dsize = sizeof(*principal);
contents->dptr = (char *) principal;
}
static void
decode_princ_contents(contents, principal)
datum *contents;
Principal *principal;
{
bcopy(contents->dptr, (char *) principal, sizeof(*principal));
}
void
kerb_db_get_stat(s)
DB_stat *s;
{
gettimeofday(&timestamp, NULL);
s->cpu = 0;
s->elapsed = 0;
s->dio = 0;
s->pfault = 0;
s->t_stamp = timestamp.tv_sec;
s->n_retrieve = 0;
s->n_replace = 0;
s->n_append = 0;
s->n_get_stat = 0;
s->n_put_stat = 0;
/* update local copy too */
}
void
kerb_db_put_stat(s)
DB_stat *s;
{
}
void
delta_stat(a, b, c)
DB_stat *a, *b, *c;
{
/* c = a - b then b = a for the next time */
c->cpu = a->cpu - b->cpu;
c->elapsed = a->elapsed - b->elapsed;
c->dio = a->dio - b->dio;
c->pfault = a->pfault - b->pfault;
c->t_stamp = a->t_stamp - b->t_stamp;
c->n_retrieve = a->n_retrieve - b->n_retrieve;
c->n_replace = a->n_replace - b->n_replace;
c->n_append = a->n_append - b->n_append;
c->n_get_stat = a->n_get_stat - b->n_get_stat;
c->n_put_stat = a->n_put_stat - b->n_put_stat;
bcopy(a, b, sizeof(DB_stat));
}
/*
* look up a dba in the data base returns number of dbas found , and
* whether there were more than requested.
*/
int
kerb_db_get_dba(dba_name, dba_inst, dba, max, more)
char *dba_name; /* could have wild card */
char *dba_inst; /* could have wild card */
Dba *dba;
unsigned int max; /* max number of name structs to return */
int *more; /* where there more than 'max' tuples? */
{
*more = 0;
return (0);
}
int
kerb_db_iterate (func, arg)
int (*func)();
char *arg; /* void *, really */
{
datum key, contents;
Principal *principal;
int code;
DBM *db;
kerb_db_init(); /* initialize and open the database */
if ((code = kerb_dbl_lock(KERB_DBL_SHARED)) != 0)
return code;
db = dbm_open(current_db_name, O_RDONLY, 0600);
for (key = dbm_firstkey (db); key.dptr != NULL; key = dbm_next(db, key)) {
contents = dbm_fetch (db, key);
/* XXX may not be properly aligned */
principal = (Principal *) contents.dptr;
if ((code = (*func)(arg, principal)) != 0)
return code;
}
dbm_close(db);
kerb_dbl_unlock();
return 0;
}
static int dblfd = -1;
static int mylock = 0;
static int inited = 0;
static void
kerb_dbl_init()
{
if (!inited) {
char *filename = gen_dbsuffix (current_db_name, ".ok");
if ((dblfd = open(filename, 0)) < 0) {
fprintf(stderr, "kerb_dbl_init: couldn't open %s\n", filename);
fflush(stderr);
perror("open");
exit(1);
}
free(filename);
inited++;
}
}
static void
kerb_dbl_fini()
{
close(dblfd);
dblfd = -1;
inited = 0;
mylock = 0;
}
static int
kerb_dbl_lock(mode)
int mode;
{
int flock_mode;
if (!inited)
kerb_dbl_init();
if (mylock) { /* Detect lock call when lock already
* locked */
fprintf(stderr, "Kerberos locking error (mylock)\n");
fflush(stderr);
exit(1);
}
switch (mode) {
case KERB_DBL_EXCLUSIVE:
flock_mode = LOCK_EX;
break;
case KERB_DBL_SHARED:
flock_mode = LOCK_SH;
break;
default:
fprintf(stderr, "invalid lock mode %d\n", mode);
abort();
}
if (non_blocking)
flock_mode |= LOCK_NB;
if (flock(dblfd, flock_mode) < 0)
return errno;
mylock++;
return 0;
}
static void
kerb_dbl_unlock()
{
if (!mylock) { /* lock already unlocked */
fprintf(stderr, "Kerberos database lock not locked when unlocking.\n");
fflush(stderr);
exit(1);
}
if (flock(dblfd, LOCK_UN) < 0) {
fprintf(stderr, "Kerberos database lock error. (unlocking)\n");
fflush(stderr);
perror("flock");
exit(1);
}
mylock = 0;
}
int
kerb_db_set_lockmode(mode)
int mode;
{
int old = non_blocking;
non_blocking = mode;
return old;
}
-148
View File
@@ -1,148 +0,0 @@
/*
* Copyright 1988 by the Massachusetts Institute of Technology.
* For copying and distribution information, please see the file
* <Copyright.MIT>.
*
* Utility routines for Kerberos programs which directly access
* the database. This code was duplicated in too many places
* before I gathered it here.
*
* Jon Rochlis, MIT Telecom, March 1988
*
* from: krb_kdb_utils.c,v 4.1 89/07/26 11:01:12 jtkohl Exp $
* $Id: krb_kdb_utils.c,v 1.3 1995/07/18 16:37:15 mark Exp $
*/
#if 0
#ifndef lint
static char rcsid[] =
"$Id: krb_kdb_utils.c,v 1.3 1995/07/18 16:37:15 mark Exp $";
#endif lint
#endif
#include <des.h>
#include <krb.h>
#include <krb_db.h>
#include <kdc.h>
#include <stdio.h>
#include <unistd.h>
#include <string.h>
#include <sys/file.h>
long
kdb_get_master_key(prompt, master_key, master_key_sched)
int prompt;
C_Block master_key;
Key_schedule master_key_sched;
{
int kfile;
if (prompt) {
#ifdef NOENCRYPTION
placebo_read_password(master_key,
"\nEnter Kerberos master key: ", 0);
#else
des_read_password((des_cblock *)master_key,
"\nEnter Kerberos master key: ", 0);
#endif
printf ("\n");
}
else {
kfile = open(MKEYFILE, O_RDONLY, 0600);
if (kfile < 0) {
/* oh, for com_err_ */
return (-1);
}
if (read(kfile, (char *) master_key, 8) != 8) {
return (-1);
}
close(kfile);
}
#ifndef NOENCRYPTION
key_sched((des_cblock *)master_key,master_key_sched);
#endif
return (0);
}
/* The caller is reasponsible for cleaning up the master key and sched,
even if we can't verify the master key */
/* Returns master key version if successful, otherwise -1 */
long
kdb_verify_master_key (master_key, master_key_sched, out)
C_Block master_key;
Key_schedule master_key_sched;
FILE *out; /* setting this to non-null be do output */
{
C_Block key_from_db;
Principal principal_data[1];
int n, more = 0;
long master_key_version;
/* lookup the master key version */
n = kerb_get_principal(KERB_M_NAME, KERB_M_INST, principal_data,
1 /* only one please */, &more);
if ((n != 1) || more) {
if (out != (FILE *) NULL)
fprintf(out,
"verify_master_key: %s, %d found.\n",
"Kerberos error on master key version lookup",
n);
return (-1);
}
master_key_version = (long) principal_data[0].key_version;
/* set up the master key */
if (out != (FILE *) NULL) /* should we punt this? */
fprintf(out, "Current Kerberos master key version is %d.\n",
principal_data[0].kdc_key_ver);
/*
* now use the master key to decrypt the key in the db, had better
* be the same!
*/
bcopy(&principal_data[0].key_low, key_from_db, 4);
bcopy(&principal_data[0].key_high, ((long *) key_from_db) + 1, 4);
kdb_encrypt_key (key_from_db, key_from_db,
master_key, master_key_sched, DECRYPT);
/* the decrypted database key had better equal the master key */
n = bcmp((char *) master_key, (char *) key_from_db,
sizeof(master_key));
/* this used to zero the master key here! */
bzero(key_from_db, sizeof(key_from_db));
bzero(principal_data, sizeof (principal_data));
if (n && (out != (FILE *) NULL)) {
fprintf(out, "\n\07\07verify_master_key: Invalid master key; ");
fprintf(out, "does not match database.\n");
return (-1);
}
if (out != (FILE *) NULL) {
fprintf(out, "\nMaster key entered. BEWARE!\07\07\n");
fflush(out);
}
return (master_key_version);
}
/* The old algorithm used the key schedule as the initial vector which
was byte order depedent ... */
void
kdb_encrypt_key (in, out, master_key, master_key_sched, e_d_flag)
C_Block in, out, master_key;
Key_schedule master_key_sched;
int e_d_flag;
{
#ifdef NOENCRYPTION
bcopy(in, out, sizeof(C_Block));
#else
pcbc_encrypt((des_cblock*)in,(des_cblock*)out,(long)sizeof(C_Block),
master_key_sched,(des_cblock*)master_key,e_d_flag);
#endif
}
-242
View File
@@ -1,242 +0,0 @@
/*
* $Source: /usr/cvs/src/eBones/kdb/krb_lib.c,v $
* $Author: mark $
*
* Copyright 1988 by the Massachusetts Institute of Technology.
*
* For copying and distribution information, please see the file
* <mit-copyright.h>.
*/
#if 0
#ifndef lint
static char rcsid[] =
"$Id: krb_lib.c,v 1.3 1995/07/18 16:37:17 mark Exp $";
#endif lint
#endif
#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <sys/uio.h>
#include <sys/time.h>
#include <sys/resource.h>
#include <strings.h>
#include <des.h>
#include <krb.h>
#include <krb_db.h>
#ifdef DEBUG
extern int debug;
extern char *progname;
long kerb_debug;
#endif
static init = 0;
/*
* initialization routine for data base
*/
int
kerb_init()
{
#ifdef DEBUG
if (!init) {
char *dbg = getenv("KERB_DBG");
if (dbg)
sscanf(dbg, "%ld", &kerb_debug);
init = 1;
}
#endif
kerb_db_init();
#ifdef CACHE
kerb_cache_init();
#endif
/* successful init, return 0, else errcode */
return (0);
}
/*
* finalization routine for database -- NOTE: MUST be called by any
* program using kerb_init. ALSO will have to be modified to finalize
* caches, if they're ever really implemented.
*/
void
kerb_fini()
{
kerb_db_fini();
}
/*
* look up a principal in the cache or data base returns number of
* principals found
*/
int
kerb_get_principal(name, inst, principal, max, more)
char *name; /* could have wild card */
char *inst; /* could have wild card */
Principal *principal;
unsigned int max; /* max number of name structs to return */
int *more; /* more tuples than room for */
{
int found = 0;
#ifdef CACHE
static int wild = 0;
#endif
if (!init)
kerb_init();
#ifdef DEBUG
if (kerb_debug & 1)
fprintf(stderr, "\n%s: kerb_get_principal for %s %s max = %d\n",
progname, name, inst, max);
#endif
/*
* if this is a request including a wild card, have to go to db
* since the cache may not be exhaustive.
*/
/* clear the principal area */
bzero((char *) principal, max * sizeof(Principal));
#ifdef CACHE
/*
* so check to see if the name contains a wildcard "*" or "?", not
* preceeded by a backslash.
*/
wild = 0;
if (index(name, '*') || index(name, '?') ||
index(inst, '*') || index(inst, '?'))
wild = 1;
if (!wild) {
/* try the cache first */
found = kerb_cache_get_principal(name, inst, principal, max, more);
if (found)
return (found);
}
#endif
/* If we didn't try cache, or it wasn't there, try db */
found = kerb_db_get_principal(name, inst, principal, max, more);
/* try to insert principal(s) into cache if it was found */
#ifdef CACHE
if (found) {
kerb_cache_put_principal(principal, found);
}
#endif
return (found);
}
/* principals */
int
kerb_put_principal(principal, n)
Principal *principal;
unsigned int n; /* number of principal structs to write */
{
long time();
struct tm *tp, *localtime();
/* set mod date */
principal->mod_date = time((long *)0);
/* and mod date string */
tp = localtime(&principal->mod_date);
(void) sprintf(principal->mod_date_txt, "%4d-%2d-%2d",
tp->tm_year > 1900 ? tp->tm_year : tp->tm_year + 1900,
tp->tm_mon + 1, tp->tm_mday); /* January is 0, not 1 */
#ifdef DEBUG
if (kerb_debug & 1) {
int i;
fprintf(stderr, "\nkerb_put_principal...");
for (i = 0; i < n; i++) {
krb_print_principal(&principal[i]);
}
}
#endif
/* write database */
if (kerb_db_put_principal(principal, n) < 0) {
#ifdef DEBUG
if (kerb_debug & 1)
fprintf(stderr, "\n%s: kerb_db_put_principal err", progname);
/* watch out for cache */
#endif
return -1;
}
#ifdef CACHE
/* write cache */
if (!kerb_cache_put_principal(principal, n)) {
#ifdef DEBUG
if (kerb_debug & 1)
fprintf(stderr, "\n%s: kerb_cache_put_principal err", progname);
#endif
return -1;
}
#endif
return 0;
}
int
kerb_get_dba(name, inst, dba, max, more)
char *name; /* could have wild card */
char *inst; /* could have wild card */
Dba *dba;
unsigned int max; /* max number of name structs to return */
int *more; /* more tuples than room for */
{
int found = 0;
#ifdef CACHE
static int wild = 0;
#endif
if (!init)
kerb_init();
#ifdef DEBUG
if (kerb_debug & 1)
fprintf(stderr, "\n%s: kerb_get_dba for %s %s max = %d\n",
progname, name, inst, max);
#endif
/*
* if this is a request including a wild card, have to go to db
* since the cache may not be exhaustive.
*/
/* clear the dba area */
bzero((char *) dba, max * sizeof(Dba));
#ifdef CACHE
/*
* so check to see if the name contains a wildcard "*" or "?", not
* preceeded by a backslash.
*/
wild = 0;
if (index(name, '*') || index(name, '?') ||
index(inst, '*') || index(inst, '?'))
wild = 1;
if (!wild) {
/* try the cache first */
found = kerb_cache_get_dba(name, inst, dba, max, more);
if (found)
return (found);
}
#endif
/* If we didn't try cache, or it wasn't there, try db */
found = kerb_db_get_dba(name, inst, dba, max, more);
#ifdef CACHE
/* try to insert dba(s) into cache if it was found */
if (found) {
kerb_cache_put_dba(dba, found);
}
#endif
return (found);
}
-51
View File
@@ -1,51 +0,0 @@
/*
* Copyright 1988 by the Massachusetts Institute of Technology.
* For copying and distribution information, please see the file
* <Copyright.MIT>.
*
* from: $Header: /usr/cvs/src/eBones/kdb/print_princ.c,v 1.3 1995/07/18 16:37:19 mark Exp $
* $Id: print_princ.c,v 1.3 1995/07/18 16:37:19 mark Exp $
*/
#if 0
#ifndef lint
static char rcsid[] =
"$Id: print_princ.c,v 1.3 1995/07/18 16:37:19 mark Exp $";
#endif lint
#endif
#include <stdio.h>
#include <time.h>
#include <sys/types.h>
#include <sys/time.h>
#include <strings.h>
#include <krb.h>
#include <krb_db.h>
extern int debug;
long kerb_debug;
static struct tm *time_p;
void
krb_print_principal(a_n)
Principal *a_n;
{
/* run-time database does not contain string versions */
time_p = localtime(&(a_n->exp_date));
fprintf(stderr,
"\n%s %s expires %4d-%2d-%2d %2d:%2d, max_life %d*5 = %d min attr 0x%02x",
a_n->name, a_n->instance,
time_p->tm_year > 1900 ? time_p->tm_year : time_p->tm_year + 1900,
time_p->tm_mon + 1, time_p->tm_mday,
time_p->tm_hour, time_p->tm_min,
a_n->max_life, 5 * a_n->max_life, a_n->attributes);
fprintf(stderr,
"\n\tkey_ver %d k_low 0x%08lx k_high 0x%08lx akv %d exists %d\n",
a_n->key_version, a_n->key_low, a_n->key_high,
a_n->kdc_key_ver, (int)a_n->old);
fflush(stderr);
}
-8
View File
@@ -1,8 +0,0 @@
# From: @(#)Makefile 5.1 (Berkeley) 6/25/90
# $Id: Makefile,v 1.3 1995/07/18 16:37:22 mark Exp $
PROG= kdb_destroy
CFLAGS+=-DKERBEROS -DDEBUG -I${.CURDIR}/../include -Wall
MAN8= kdb_destroy.8
.include <bsd.prog.mk>
-36
View File
@@ -1,36 +0,0 @@
.\" from: kdb_destroy.8,v 4.1 89/01/23 11:08:02 jtkohl Exp $
.\" $Id: kdb_destroy.8,v 1.1.1.1 1994/09/30 14:50:06 csgr Exp $
.\" Copyright 1989 by the Massachusetts Institute of Technology.
.\"
.\" For copying and distribution information,
.\" please see the file <Copyright.MIT>.
.\"
.TH KDB_DESTROY 8 "Kerberos Version 4.0" "MIT Project Athena"
.SH NAME
kdb_destroy \- destroy Kerberos key distribution center database
.SH SYNOPSIS
kdb_destroy
.SH DESCRIPTION
.I kdb_destroy
deletes a Kerberos key distribution center database.
.PP
The user is prompted to verify that the database should be destroyed. A
response beginning with `y' or `Y' confirms deletion.
Any other response aborts deletion.
.SH DIAGNOSTICS
.TP 20n
"Database cannot be deleted at /kerberos/principal"
The attempt to delete the database failed (probably due to a system or
access permission error).
.TP
"Database not deleted."
The user aborted the deletion.
.SH FILES
.TP 20n
/etc/kerberosIV/principal.db
DBM file containing database
.TP
/etc/kerberosIV/principal.ok
Semaphore indicating that the DBM database is not being modified.
.SH SEE ALSO
kdb_init(8)
-66
View File
@@ -1,66 +0,0 @@
/*
* Copyright 1988 by the Massachusetts Institute of Technology.
* For copying and distribution information, please see the file
* <Copyright.MIT>.
*
* from: kdb_destroy.c,v 4.0 89/01/24 21:49:02 jtkohl Exp $
* $Id: kdb_destroy.c,v 1.5 1995/08/04 06:35:45 mark Exp $
*/
#if 0
#ifndef lint
static char rcsid[] =
"$Id: kdb_destroy.c,v 1.5 1995/08/04 06:35:45 mark Exp $";
#endif lint
#endif
#include <unistd.h>
#include <strings.h>
#include <stdio.h>
#include <krb.h>
#include <krb_db.h>
#if defined(__FreeBSD__) || defined(__NetBSD__)
#define _DBM_
#endif
void
main()
{
char answer[10]; /* user input */
#ifdef _DBM_
char dbm[256]; /* database path and name */
char *file; /* database file names */
#else
char dbm[256]; /* database path and name */
char dbm1[256]; /* database path and name */
char *file1, *file2; /* database file names */
#endif
strcpy(dbm, DBM_FILE);
#ifdef _DBM_
file = strcat(dbm, ".db");
#else
strcpy(dbm1, DBM_FILE);
file1 = strcat(dbm, ".dir");
file2 = strcat(dbm1, ".pag");
#endif
printf("You are about to destroy the Kerberos database ");
printf("on this machine.\n");
printf("Are you sure you want to do this (y/n)? ");
fgets(answer, sizeof(answer), stdin);
if (answer[0] == 'y' || answer[0] == 'Y') {
#ifdef _DBM_
if (unlink(file) == 0)
#else
if (unlink(file1) == 0 && unlink(file2) == 0)
#endif
fprintf(stderr, "Database deleted at %s\n", DBM_FILE);
else
fprintf(stderr, "Database cannot be deleted at %s\n",
DBM_FILE);
} else
fprintf(stderr, "Database not deleted.\n");
}
-12
View File
@@ -1,12 +0,0 @@
# From: @(#)Makefile 5.2 (Berkeley) 2/14/91
# $Id: Makefile,v 1.3 1995/07/18 16:37:25 mark Exp $
PROG= kdb_edit
CFLAGS+=-DKERBEROS -DDEBUG -I. -I${.CURDIR}/../include -Wall
SRCS= kdb_edit.c maketime.c
.PATH: ${.CURDIR}/../kdb_edit
DPADD= ${LIBKDB} ${LIBKRB}
LDADD= -L${KDBOBJDIR} -lkdb -L${KRBOBJDIR} -lkrb -ldes
MAN8= kdb_edit.8
.include <bsd.prog.mk>
-58
View File
@@ -1,58 +0,0 @@
.\" from: kdb_edit.8,v 4.1 89/01/23 11:08:55 jtkohl Exp $
.\" $Id: kdb_edit.8,v 1.2 1995/02/08 10:54:20 jkh Exp $
.\" Copyright 1989 by the Massachusetts Institute of Technology.
.\"
.\" For copying and distribution information,
.\" please see the file <Copyright.MIT>.
.\"
.TH KDB_EDIT 8 "Kerberos Version 4.0" "MIT Project Athena"
.SH NAME
kdb_edit \- Kerberos key distribution center database editing utility
.SH SYNOPSIS
kdb_edit [
.B \-n
]
.SH DESCRIPTION
.I kdb_edit
is used to create or change principals stored in the Kerberos key
distribution center (KDC) database.
.PP
When executed,
.I kdb_edit
prompts for the master key string and verifies that it matches the
master key stored in the database.
If the
.B \-n
option is specified, the master key is instead fetched from the master
key cache file.
.PP
Once the master key has been verified,
.I kdb_edit
begins a prompt loop. The user is prompted for the principal and
instance to be modified. If the entry is not found the user may create
it.
Once an entry is found or created, the user may set the password,
expiration date, maximum ticket lifetime, and attributes.
Default expiration dates, maximum ticket lifetimes, and attributes are
presented in brackets; if the user presses return the default is selected.
There is no default password.
The password "RANDOM" and an empty password are interpreted specially,
if entered the user may have the program select a random DES key for the
principal.
.PP
Upon successfully creating or changing the entry, ``Edit O.K.'' is
printed.
.SH DIAGNOSTICS
.TP 20n
"verify_master_key: Invalid master key, does not match database."
The master key string entered was incorrect.
.SH FILES
.TP 20n
/etc/kerberosIV/principal.db
DBM file containing database
.TP
/etc/kerberosIV/principal.ok
Semaphore indicating that the DBM database is not being modified.
.TP
/etc/kerberosIV/master_key
Master key cache file.
-477
View File
@@ -1,477 +0,0 @@
/*
* Copyright 1985, 1986, 1987, 1988 by the Massachusetts Institute
* of Technology.
* For copying and distribution information, please see the file
* <Copyright.MIT>.
*
* This routine changes the Kerberos encryption keys for principals,
* i.e., users or services.
*
* from: kdb_edit.c,v 4.2 90/01/09 16:05:09 raeburn Exp $
* $Id: kdb_edit.c,v 1.5 1995/08/03 17:15:54 mark Exp $
*/
/*
* exit returns 0 ==> success -1 ==> error
*/
#if 0
#ifndef lint
static char rcsid[] =
"$Id: kdb_edit.c,v 1.5 1995/08/03 17:15:54 mark Exp $";
#endif lint
#endif
#include <stdio.h>
#include <signal.h>
#include <errno.h>
#include <strings.h>
#include <sys/ioctl.h>
#include <sys/file.h>
#include "time.h"
#include <des.h>
#include <krb.h>
#include <krb_db.h>
/* MKEYFILE is now defined in kdc.h */
#include <kdc.h>
void Usage(void);
void cleanup(void);
void sig_exit(int sig, int code, struct sigcontext *scp);
void no_core_dumps(void);
int change_principal(void);
#define zaptime(foo) bzero((char *)(foo), sizeof(*(foo)))
char prog[32];
char *progname = prog;
int nflag = 0;
int cflag;
int lflag;
int uflag;
int debug;
extern kerb_debug;
Key_schedule KS;
C_Block new_key;
unsigned char *input;
unsigned char *ivec;
int i, j;
int more;
char *in_ptr;
char input_name[ANAME_SZ];
char input_instance[INST_SZ];
char input_string[ANAME_SZ];
#define MAX_PRINCIPAL 10
Principal principal_data[MAX_PRINCIPAL];
static Principal old_principal;
static Principal default_princ;
static C_Block master_key;
static C_Block session_key;
static Key_schedule master_key_schedule;
static char pw_str[255];
static long master_key_version;
/*
* gets replacement
*/
static char * s_gets(char * str, int len)
{
int i;
char *s;
if((s = fgets(str, len, stdin)) == NULL)
return(s);
if(str[i = (strlen(str)-1)] == '\n')
str[i] = '\0';
return(s);
}
int
main(argc, argv)
int argc;
char *argv[];
{
/* Local Declarations */
long n;
prog[sizeof prog - 1] = '\0'; /* make sure terminated */
strncpy(prog, argv[0], sizeof prog - 1); /* salt away invoking
* program */
/* Assume a long is four bytes */
if (sizeof(long) != 4) {
fprintf(stdout, "%s: size of long is %d.\n", prog, sizeof(long));
exit(-1);
}
/* Assume <=32 signals */
if (NSIG > 32) {
fprintf(stderr, "%s: more than 32 signals defined.\n", prog);
exit(-1);
}
while (--argc > 0 && (*++argv)[0] == '-')
for (i = 1; argv[0][i] != '\0'; i++) {
switch (argv[0][i]) {
/* debug flag */
case 'd':
debug = 1;
continue;
/* debug flag */
case 'l':
kerb_debug |= 1;
continue;
case 'n': /* read MKEYFILE for master key */
nflag = 1;
continue;
default:
fprintf(stderr, "%s: illegal flag \"%c\"\n",
progname, argv[0][i]);
Usage(); /* Give message and die */
}
};
fprintf(stdout, "Opening database...\n");
fflush(stdout);
kerb_init();
if (argc > 0) {
if (kerb_db_set_name(*argv) != 0) {
fprintf(stderr, "Could not open altername database name\n");
exit(1);
}
}
#ifdef notdef
no_core_dumps(); /* diddle signals to avoid core dumps! */
/* ignore whatever is reasonable */
signal(SIGHUP, SIG_IGN);
signal(SIGINT, SIG_IGN);
signal(SIGTSTP, SIG_IGN);
#endif
if (kdb_get_master_key ((nflag == 0),
master_key, master_key_schedule) != 0) {
fprintf (stdout, "Couldn't read master key.\n");
fflush (stdout);
exit (-1);
}
if ((master_key_version = kdb_verify_master_key(master_key,
master_key_schedule,
stdout)) < 0)
exit (-1);
/* lookup the default values */
n = kerb_get_principal(KERB_DEFAULT_NAME, KERB_DEFAULT_INST,
&default_princ, 1, &more);
if (n != 1) {
fprintf(stderr,
"%s: Kerberos error on default value lookup, %ld found.\n",
progname, n);
exit(-1);
}
fprintf(stdout, "Previous or default values are in [brackets] ,\n");
fprintf(stdout, "enter return to leave the same, or new value.\n");
while (change_principal()) {
}
cleanup();
return(0); /* make -Wall shut up - MRVM */
}
int
change_principal()
{
static char temp[255];
int creating = 0;
int editpw = 0;
int changed = 0;
long temp_long;
int n;
struct tm *tp, edate, *localtime();
long maketime();
fprintf(stdout, "\nPrincipal name: ");
fflush(stdout);
if (!s_gets(input_name, ANAME_SZ-1) || *input_name == '\0')
return 0;
fprintf(stdout, "Instance: ");
fflush(stdout);
/* instance can be null */
s_gets(input_instance, INST_SZ-1);
j = kerb_get_principal(input_name, input_instance, principal_data,
MAX_PRINCIPAL, &more);
if (!j) {
fprintf(stdout, "\n\07\07<Not found>, Create [y] ? ");
s_gets(temp, sizeof(temp)-1); /* Default case should work, it didn't */
if (temp[0] != 'y' && temp[0] != 'Y' && temp[0] != '\0')
return -1;
/* make a new principal, fill in defaults */
j = 1;
creating = 1;
strcpy(principal_data[0].name, input_name);
strcpy(principal_data[0].instance, input_instance);
principal_data[0].old = NULL;
principal_data[0].exp_date = default_princ.exp_date;
principal_data[0].max_life = default_princ.max_life;
principal_data[0].attributes = default_princ.attributes;
principal_data[0].kdc_key_ver = (unsigned char) master_key_version;
principal_data[0].key_version = 0; /* bumped up later */
}
tp = localtime(&principal_data[0].exp_date);
(void) sprintf(principal_data[0].exp_date_txt, "%4d-%02d-%02d",
tp->tm_year > 1900 ? tp->tm_year : tp->tm_year + 1900,
tp->tm_mon + 1, tp->tm_mday); /* January is 0, not 1 */
for (i = 0; i < j; i++) {
for (;;) {
fprintf(stdout,
"\nPrincipal: %s, Instance: %s, kdc_key_ver: %d",
principal_data[i].name, principal_data[i].instance,
principal_data[i].kdc_key_ver);
editpw = 1;
changed = 0;
if (!creating) {
/*
* copy the existing data so we can use the old values
* for the qualifier clause of the replace
*/
principal_data[i].old = (char *) &old_principal;
bcopy(&principal_data[i], &old_principal,
sizeof(old_principal));
printf("\nChange password [n] ? ");
s_gets(temp, sizeof(temp)-1);
if (strcmp("y", temp) && strcmp("Y", temp))
editpw = 0;
}
/* password */
if (editpw) {
#ifdef NOENCRYPTION
placebo_read_pw_string(pw_str, sizeof pw_str,
"\nNew Password: ", TRUE);
#else
des_read_pw_string(pw_str, sizeof pw_str,
"\nNew Password: ", TRUE);
#endif
if (pw_str[0] == '\0' || !strcmp(pw_str, "RANDOM")) {
printf("\nRandom password [y] ? ");
s_gets(temp, sizeof(temp)-1);
if (!strcmp("n", temp) || !strcmp("N", temp)) {
/* no, use literal */
#ifdef NOENCRYPTION
bzero(new_key, sizeof(C_Block));
new_key[0] = 127;
#else
string_to_key(pw_str, &new_key);
#endif
bzero(pw_str, sizeof pw_str); /* "RANDOM" */
} else {
#ifdef NOENCRYPTION
bzero(new_key, sizeof(C_Block));
new_key[0] = 127;
#else
random_key(new_key);
#endif
bzero(pw_str, sizeof pw_str);
}
} else if (!strcmp(pw_str, "NULL")) {
printf("\nNull Key [y] ? ");
s_gets(temp, sizeof(temp)-1);
if (!strcmp("n", temp) || !strcmp("N", temp)) {
/* no, use literal */
#ifdef NOENCRYPTION
bzero(new_key, sizeof(C_Block));
new_key[0] = 127;
#else
string_to_key(pw_str, &new_key);
#endif
bzero(pw_str, sizeof pw_str); /* "NULL" */
} else {
principal_data[i].key_low = 0;
principal_data[i].key_high = 0;
goto null_key;
}
} else {
#ifdef NOENCRYPTION
bzero(new_key, sizeof(C_Block));
new_key[0] = 127;
#else
string_to_key(pw_str, &new_key);
#endif
bzero(pw_str, sizeof pw_str);
}
/* seal it under the kerberos master key */
kdb_encrypt_key (new_key, new_key,
master_key, master_key_schedule,
ENCRYPT);
bcopy(new_key, &principal_data[i].key_low, 4);
bcopy(((long *) new_key) + 1,
&principal_data[i].key_high, 4);
bzero(new_key, sizeof(new_key));
null_key:
/* set master key version */
principal_data[i].kdc_key_ver =
(unsigned char) master_key_version;
/* bump key version # */
principal_data[i].key_version++;
fprintf(stdout,
"\nPrincipal's new key version = %d\n",
principal_data[i].key_version);
fflush(stdout);
changed = 1;
}
/* expiration date */
fprintf(stdout, "Expiration date (enter yyyy-mm-dd) [ %s ] ? ",
principal_data[i].exp_date_txt);
zaptime(&edate);
while (s_gets(temp, sizeof(temp)-1) && ((n = strlen(temp)) >
sizeof(principal_data[0].exp_date_txt))) {
bad_date:
fprintf(stdout, "\07\07Date Invalid\n");
fprintf(stdout,
"Expiration date (enter yyyy-mm-dd) [ %s ] ? ",
principal_data[i].exp_date_txt);
zaptime(&edate);
}
if (*temp) {
if (sscanf(temp, "%d-%d-%d", &edate.tm_year,
&edate.tm_mon, &edate.tm_mday) != 3)
goto bad_date;
(void) strcpy(principal_data[i].exp_date_txt, temp);
edate.tm_mon--; /* January is 0, not 1 */
edate.tm_hour = 23; /* nearly midnight at the end of the */
edate.tm_min = 59; /* specified day */
if (!(principal_data[i].exp_date = maketime(&edate, 1)))
goto bad_date;
changed = 1;
}
/* maximum lifetime */
fprintf(stdout, "Max ticket lifetime (*5 minutes) [ %d ] ? ",
principal_data[i].max_life);
while (s_gets(temp, sizeof(temp)-1) && *temp) {
if (sscanf(temp, "%ld", &temp_long) != 1)
goto bad_life;
if (temp_long > 255 || (temp_long < 0)) {
bad_life:
fprintf(stdout, "\07\07Invalid, choose 0-255\n");
fprintf(stdout,
"Max ticket lifetime (*5 minutes) [ %d ] ? ",
principal_data[i].max_life);
continue;
}
changed = 1;
/* dont clobber */
principal_data[i].max_life = (unsigned short) temp_long;
break;
}
/* attributes */
fprintf(stdout, "Attributes [ %d ] ? ",
principal_data[i].attributes);
while (s_gets(temp, sizeof(temp)-1) && *temp) {
if (sscanf(temp, "%ld", &temp_long) != 1)
goto bad_att;
if (temp_long > 65535 || (temp_long < 0)) {
bad_att:
fprintf(stdout, "\07\07Invalid, choose 0-65535\n");
fprintf(stdout, "Attributes [ %d ] ? ",
principal_data[i].attributes);
continue;
}
changed = 1;
/* dont clobber */
principal_data[i].attributes =
(unsigned short) temp_long;
break;
}
/*
* remaining fields -- key versions and mod info, should
* not be directly manipulated
*/
if (changed) {
if (kerb_put_principal(&principal_data[i], 1)) {
fprintf(stdout,
"\nError updating Kerberos database");
} else {
fprintf(stdout, "Edit O.K.");
}
} else {
fprintf(stdout, "Unchanged");
}
bzero(&principal_data[i].key_low, 4);
bzero(&principal_data[i].key_high, 4);
fflush(stdout);
break;
}
}
if (more) {
fprintf(stdout, "\nThere were more tuples found ");
fprintf(stdout, "than there were space for");
}
return 1;
}
void
no_core_dumps()
{
signal(SIGQUIT, (sig_t)sig_exit);
signal(SIGILL, (sig_t)sig_exit);
signal(SIGTRAP, (sig_t)sig_exit);
signal(SIGIOT, (sig_t)sig_exit);
signal(SIGEMT, (sig_t)sig_exit);
signal(SIGFPE, (sig_t)sig_exit);
signal(SIGBUS, (sig_t)sig_exit);
signal(SIGSEGV, (sig_t)sig_exit);
signal(SIGSYS, (sig_t)sig_exit);
}
void
sig_exit(sig, code, scp)
int sig, code;
struct sigcontext *scp;
{
cleanup();
fprintf(stderr,
"\nSignal caught, sig = %d code = %d old pc = 0x%X \nexiting",
sig, code, scp->sc_pc);
exit(-1);
}
void
cleanup()
{
bzero(master_key, sizeof(master_key));
bzero(session_key, sizeof(session_key));
bzero(master_key_schedule, sizeof(master_key_schedule));
bzero(principal_data, sizeof(principal_data));
bzero(new_key, sizeof(new_key));
bzero(pw_str, sizeof(pw_str));
}
void
Usage()
{
fprintf(stderr, "Usage: %s [-n]\n", progname);
exit(1);
}
-85
View File
@@ -1,85 +0,0 @@
/*
* Copyright 1990 by the Massachusetts Institute of Technology.
* For copying and distribution information, please see the file
* <Copyright.MIT>.
*
* Convert a struct tm * to a UNIX time.
*
* from: maketime.c,v 4.2 90/01/09 15:54:51 raeburn Exp $
* $Id: maketime.c,v 1.3 1995/07/18 16:37:29 mark Exp $
*/
#if 0
#ifndef lint
static char rcsid[] =
"$Id: maketime.c,v 1.1 1994/03/21 16:23:54 piero Exp ";
#endif lint
#endif
#include <sys/time.h>
#define daysinyear(y) (((y) % 4) ? 365 : (((y) % 100) ? 366 : (((y) % 400) ? 365 : 366)))
#define SECSPERDAY 24*60*60
#define SECSPERHOUR 60*60
#define SECSPERMIN 60
static int cumdays[] = { 0, 31, 59, 90, 120, 151, 181, 212, 243, 273, 304, 334,
365};
static int leapyear[] = {31, 29, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31};
static int nonleapyear[] = {31, 28, 31, 30, 31, 30, 31, 31, 30, 31, 30, 31};
long
maketime(tp, local)
register struct tm *tp;
int local;
{
register long retval;
int foo;
int *marray;
if (tp->tm_mon < 0 || tp->tm_mon > 11 ||
tp->tm_hour < 0 || tp->tm_hour > 23 ||
tp->tm_min < 0 || tp->tm_min > 59 ||
tp->tm_sec < 0 || tp->tm_sec > 59) /* out of range */
return 0;
retval = 0;
if (tp->tm_year < 1900)
foo = tp->tm_year + 1900;
else
foo = tp->tm_year;
if (foo < 1901 || foo > 2038) /* year is too small/large */
return 0;
if (daysinyear(foo) == 366) {
if (tp->tm_mon > 1)
retval+= SECSPERDAY; /* add leap day */
marray = leapyear;
} else
marray = nonleapyear;
if (tp->tm_mday < 0 || tp->tm_mday > marray[tp->tm_mon])
return 0; /* out of range */
while (--foo >= 1970)
retval += daysinyear(foo) * SECSPERDAY;
retval += cumdays[tp->tm_mon] * SECSPERDAY;
retval += (tp->tm_mday-1) * SECSPERDAY;
retval += tp->tm_hour * SECSPERHOUR + tp->tm_min * SECSPERMIN + tp->tm_sec;
if (local) {
/* need to use local time, so we retrieve timezone info */
struct timezone tz;
struct timeval tv;
if (gettimeofday(&tv, &tz) < 0) {
/* some error--give up? */
return(retval);
}
retval += tz.tz_minuteswest * SECSPERMIN;
}
return(retval);
}
-45
View File
@@ -1,45 +0,0 @@
/* Structure for use by time manipulating subroutines.
* The following library routines use it:
* libc: ctime, localtime, gmtime, asctime
* libcx: partime, maketime (may not be installed yet)
*/
/*
* from: time.h,v 1.1 82/05/06 11:34:29 wft Exp $
* $Id: time.h,v 1.3 1995/07/18 16:37:31 mark Exp $
*/
struct tm { /* See defines below for allowable ranges */
int tm_sec;
int tm_min;
int tm_hour;
int tm_mday;
int tm_mon;
int tm_year;
int tm_wday;
int tm_yday;
int tm_isdst;
int tm_zon; /* NEW: mins westward of Greenwich */
int tm_ampm; /* NEW: 1 if AM, 2 if PM */
};
#define LCLZONE (5*60) /* Until V7 ftime(2) works, this defines local zone*/
#define TMNULL (-1) /* Items not specified are given this value
* in order to distinguish null specs from zero
* specs. This is only used by partime and
* maketime. */
/* Indices into TM structure */
#define TM_SEC 0 /* 0-59 */
#define TM_MIN 1 /* 0-59 */
#define TM_HOUR 2 /* 0-23 */
#define TM_MDAY 3 /* 1-31 day of month */
#define TM_DAY TM_MDAY /* " synonym */
#define TM_MON 4 /* 0-11 */
#define TM_YEAR 5 /* (year-1900) (year) */
#define TM_WDAY 6 /* 0-6 day of week (0 = Sunday) */
#define TM_YDAY 7 /* 0-365 day of year */
#define TM_ISDST 8 /* 0 Std, 1 DST */
/* New stuff */
#define TM_ZON 9 /* 0-(24*60) minutes west of Greenwich */
#define TM_AMPM 10 /* 1 AM, 2 PM */
-10
View File
@@ -1,10 +0,0 @@
# From: @(#)Makefile 5.1 (Berkeley) 6/25/90
# $Id: Makefile,v 1.3 1995/07/18 16:37:34 mark Exp $
PROG= kdb_init
CFLAGS+=-DKERBEROS -DDEBUG -I${.CURDIR}/../include -Wall
DPADD= ${LIBKDB} ${LIBKRB}
LDADD= -L${KDBOBJDIR} -lkdb -L${KRBOBJDIR} -lkrb -ldes
MAN8= kdb_init.8
.include <bsd.prog.mk>
-45
View File
@@ -1,45 +0,0 @@
.\" from: kdb_init.8,v 4.1 89/01/23 11:09:02 jtkohl Exp $
.\" $Id: kdb_init.8,v 1.1.1.1 1994/09/30 14:50:06 csgr Exp $
.\" Copyright 1989 by the Massachusetts Institute of Technology.
.\"
.\" For copying and distribution information,
.\" please see the file <Copyright.MIT>.
.\"
.TH KDB_INIT 8 "Kerberos Version 4.0" "MIT Project Athena"
.SH NAME
kdb_init \- Initialize Kerberos key distribution center database
.SH SYNOPSIS
kdb_init [
.B realm
]
.SH DESCRIPTION
.I kdb_init
initializes a Kerberos key distribution center database, creating the
necessary principals.
.PP
If the optional
.I realm
argument is not present,
.I kdb_init
prompts for a realm name (defaulting to the definition in
/usr/include/kerberosIV/krb.h).
After determining the realm to be created, it prompts for
a master key password. The master key password is used to encrypt
every encryption key stored in the database.
.SH DIAGNOSTICS
.TP 20n
"/etc/kerberosIV/principal: File exists"
An attempt was made to create a database on a machine which already had
an existing database.
.SH FILES
.TP 20n
/etc/kerberosIV/principal.db
DBM file containing database
.TP
/etc/kerberosIV/principal.ok
Semaphore indicating that the DBM database is not being modified.
.TP
/usr/include/kerberosIV/krb.h
Include file defining default realm
.SH SEE ALSO
kdb_destroy(8)
-180
View File
@@ -1,180 +0,0 @@
/*
* Copyright 1987, 1988 by the Massachusetts Institute of Technology.
* For copying and distribution information, please see the file
* <Copyright.MIT>.
*
* program to initialize the database, reports error if database file
* already exists.
*
* from: kdb_init.c,v 4.0 89/01/24 21:50:45 jtkohl Exp $
* $Id: kdb_init.c,v 1.4 1995/07/18 16:37:35 mark Exp $
*/
#if 0
#ifndef lint
static char rcsid[] =
"$Id: kdb_init.c,v 1.4 1995/07/18 16:37:35 mark Exp $";
#endif lint
#endif
#include <stdio.h>
#include <sys/types.h>
#include <sys/file.h>
#include <sys/time.h>
#include <des.h>
#include <krb.h>
#include <krb_db.h>
#include <string.h>
#define TRUE 1
enum ap_op {
NULL_KEY, /* setup null keys */
MASTER_KEY, /* use master key as new key */
RANDOM_KEY, /* choose a random key */
};
int add_principal(char *name, char *instance, enum ap_op aap_op);
int debug = 0;
char *progname;
C_Block master_key;
Key_schedule master_key_schedule;
int
main(argc, argv)
int argc;
char *argv[];
{
char realm[REALM_SZ];
char *cp;
int code;
char *database;
progname = (cp = rindex(*argv, '/')) ? cp + 1 : *argv;
if (argc > 3) {
fprintf(stderr, "Usage: %s [realm-name] [database-name]\n", argv[0]);
exit(1);
}
if (argc == 3) {
database = argv[2];
--argc;
} else
database = DBM_FILE;
/* Do this first, it'll fail if the database exists */
if ((code = kerb_db_create(database)) != 0) {
fprintf(stderr, "Couldn't create database: %s\n",
sys_errlist[code]);
exit(1);
}
kerb_db_set_name(database);
if (argc == 2)
strncpy(realm, argv[1], REALM_SZ);
else {
fprintf(stderr, "Realm name [default %s ]: ", KRB_REALM);
if (fgets(realm, sizeof(realm), stdin) == NULL) {
fprintf(stderr, "\nEOF reading realm\n");
exit(1);
}
if ((cp = index(realm, '\n')))
*cp = '\0';
if (!*realm) /* no realm given */
strcpy(realm, KRB_REALM);
}
if (!k_isrealm(realm)) {
fprintf(stderr, "%s: Bad kerberos realm name \"%s\"\n",
progname, realm);
exit(1);
}
printf("You will be prompted for the database Master Password.\n");
printf("It is important that you NOT FORGET this password.\n");
fflush(stdout);
if (kdb_get_master_key (TRUE, master_key, master_key_schedule) != 0) {
fprintf (stderr, "Couldn't read master key.\n");
exit (-1);
}
if (
add_principal(KERB_M_NAME, KERB_M_INST, MASTER_KEY) ||
add_principal(KERB_DEFAULT_NAME, KERB_DEFAULT_INST, NULL_KEY) ||
add_principal("krbtgt", realm, RANDOM_KEY) ||
add_principal("changepw", KRB_MASTER, RANDOM_KEY)
) {
fprintf(stderr, "\n%s: couldn't initialize database.\n",
progname);
exit(1);
}
/* play it safe */
bzero (master_key, sizeof (C_Block));
bzero (master_key_schedule, sizeof (Key_schedule));
exit(0);
}
/* use a return code to indicate success or failure. check the return */
/* values of the routines called by this routine. */
int
add_principal(name, instance, aap_op)
char *name, *instance;
enum ap_op aap_op;
{
Principal principal;
struct tm *tm;
C_Block new_key;
bzero(&principal, sizeof(principal));
strncpy(principal.name, name, ANAME_SZ);
strncpy(principal.instance, instance, INST_SZ);
switch (aap_op) {
case NULL_KEY:
principal.key_low = 0;
principal.key_high = 0;
break;
case RANDOM_KEY:
#ifdef NOENCRYPTION
bzero(new_key, sizeof(C_Block));
new_key[0] = 127;
#else
random_key(new_key);
#endif
kdb_encrypt_key (new_key, new_key, master_key, master_key_schedule,
ENCRYPT);
bcopy(new_key, &principal.key_low, 4);
bcopy(((long *) new_key) + 1, &principal.key_high, 4);
break;
case MASTER_KEY:
bcopy (master_key, new_key, sizeof (C_Block));
kdb_encrypt_key (new_key, new_key, master_key, master_key_schedule,
ENCRYPT);
bcopy(new_key, &principal.key_low, 4);
bcopy(((long *) new_key) + 1, &principal.key_high, 4);
break;
}
principal.exp_date = 946702799; /* Happy new century */
strncpy(principal.exp_date_txt, "12/31/99", DATE_SZ);
principal.mod_date = time(0);
tm = localtime(&principal.mod_date);
principal.attributes = 0;
principal.max_life = 255;
principal.kdc_key_ver = 1;
principal.key_version = 1;
strncpy(principal.mod_name, "db_creation", ANAME_SZ);
strncpy(principal.mod_instance, "", INST_SZ);
principal.old = 0;
kerb_db_put_principal(&principal, 1);
/* let's play it safe */
bzero (new_key, sizeof (C_Block));
bzero (&principal.key_low, 4);
bzero (&principal.key_high, 4);
return 0;
}
-13
View File
@@ -1,13 +0,0 @@
# From: @(#)Makefile 5.2 (Berkeley) 2/14/91
# $Id: Makefile,v 1.3 1995/07/18 16:37:38 mark Exp $
PROG= kdb_util
CFLAGS+=-DKERBEROS -DDEBUG -I${.CURDIR}/../kdb_edit \
-I${.CURDIR}/../include -Wall
SRCS= kdb_util.c maketime.c
.PATH: ${.CURDIR}/../kdb_edit
DPADD= ${LIBKDB} ${LIBKRB}
LDADD= -L${KDBOBJDIR} -lkdb -L${KRBOBJDIR} -lkrb -ldes
MAN8= kdb_util.8
.include <bsd.prog.mk>
-64
View File
@@ -1,64 +0,0 @@
.\" from: kdb_util.8,v 4.1 89/01/23 11:09:11 jtkohl Exp $
.\" $Id: kdb_util.8,v 1.1.1.1 1994/09/30 14:50:06 csgr Exp $
.\" Copyright 1989 by the Massachusetts Institute of Technology.
.\"
.\" For copying and distribution information,
.\" please see the file <Copyright.MIT>.
.\"
.TH KDB_UTIL 8 "Kerberos Version 4.0" "MIT Project Athena"
.SH NAME
kdb_util \- Kerberos key distribution center database utility
.SH SYNOPSIS
kdb_util
.B operation filename
.SH DESCRIPTION
.I kdb_util
allows the Kerberos key distribution center (KDC) database administrator to
perform utility functions on the database.
.PP
.I Operation
must be one of the following:
.TP 10n
.I load
initializes the KDC database with the records described by the
text contained in the file
.IR filename .
Any existing database is overwritten.
.TP
.I dump
dumps the KDC database into a text representation in the file
.IR filename .
.TP
.I slave_dump
performs a database dump like the
.I dump
operation, and additionally creates a semaphore file signalling the
propagation software that an update is available for distribution to
slave KDC databases.
.TP
.I new_master_key
prompts for the old and new master key strings, and then dumps the KDC
database into a text representation in the file
.IR filename .
The keys in the text representation are encrypted in the new master key.
.TP
.I convert_old_db
prompts for the master key string, and then dumps the KDC database into
a text representation in the file
.IR filename .
The existing database is assumed to be encrypted using the old format
(encrypted by the key schedule of the master key); the dumped database
is encrypted using the new format (encrypted directly with master key).
.PP
.SH DIAGNOSTICS
.TP 20n
"verify_master_key: Invalid master key, does not match database."
The master key string entered was incorrect.
.SH FILES
.TP 20n
/etc/kerberosIV/principal.db
DBM file containing database
.TP
.IR filename .dump_ok
semaphore file created by
.IR slave_dump.
-523
View File
@@ -1,523 +0,0 @@
/*
* Copyright 1987, 1988 by the Massachusetts Institute of Technology.
* For copying and distribution information, please see the file
* <Copyright.MIT>.
*
* Kerberos database manipulation utility. This program allows you to
* dump a kerberos database to an ascii readable file and load this
* file into the database. Read locking of the database is done during a
* dump operation. NO LOCKING is done during a load operation. Loads
* should happen with other processes shutdown.
*
* Written July 9, 1987 by Jeffrey I. Schiller
*
* from: kdb_util.c,v 4.4 90/01/09 15:57:20 raeburn Exp $
* $Id: kdb_util.c,v 1.5 1995/08/03 17:15:57 mark Exp $
*/
#if 0
#ifndef lint
static char rcsid[] =
"$Id: kdb_util.c,v 1.5 1995/08/03 17:15:57 mark Exp $";
#endif lint
#endif
#include <errno.h>
#include <unistd.h>
#include <stdlib.h>
#include <stdio.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <time.h>
#include <strings.h>
#include <des.h>
#include <krb.h>
#include <sys/file.h>
#include <krb_db.h>
#define TRUE 1
Principal aprinc;
static des_cblock master_key, new_master_key;
static des_key_schedule master_key_schedule, new_master_key_schedule;
#define zaptime(foo) bzero((char *)(foo), sizeof(*(foo)))
char * progname;
void convert_old_format_db (char *db_file, FILE *out);
void convert_new_master_key (char *db_file, FILE *out);
void update_ok_file (char *file_name);
void print_time(FILE *file, unsigned long timeval);
void load_db (char *db_file, FILE *input_file);
int dump_db (char *db_file, FILE *output_file, void (*cv_key)());
int
main(argc, argv)
int argc;
char **argv;
{
FILE *file;
enum {
OP_LOAD,
OP_DUMP,
OP_SLAVE_DUMP,
OP_NEW_MASTER,
OP_CONVERT_OLD_DB,
} op;
char *file_name;
char *prog = argv[0];
char *db_name;
progname = prog;
if (argc != 3 && argc != 4) {
fprintf(stderr, "Usage: %s operation file-name [database name].\n",
argv[0]);
exit(1);
}
if (argc == 3)
db_name = DBM_FILE;
else
db_name = argv[3];
if (kerb_db_set_name (db_name) != 0) {
perror("Can't open database");
exit(1);
}
if (!strcmp(argv[1], "load"))
op = OP_LOAD;
else if (!strcmp(argv[1], "dump"))
op = OP_DUMP;
else if (!strcmp(argv[1], "slave_dump"))
op = OP_SLAVE_DUMP;
else if (!strcmp(argv[1], "new_master_key"))
op = OP_NEW_MASTER;
else if (!strcmp(argv[1], "convert_old_db"))
op = OP_CONVERT_OLD_DB;
else {
fprintf(stderr,
"%s: %s is an invalid operation.\n", prog, argv[1]);
fprintf(stderr,
"%s: Valid operations are \"dump\", \"slave_dump\",", argv[0]);
fprintf(stderr,
"\"load\", \"new_master_key\", and \"convert_old_db\".\n");
exit(1);
}
file_name = argv[2];
file = fopen(file_name, op == OP_LOAD ? "r" : "w");
if (file == NULL) {
fprintf(stderr, "%s: Unable to open %s\n", prog, argv[2]);
(void) fflush(stderr);
perror("open");
exit(1);
}
switch (op) {
case OP_DUMP:
if ((dump_db (db_name, file, (void (*)()) 0) == EOF) ||
(fclose(file) == EOF)) {
fprintf(stderr, "error on file %s:", file_name);
perror("");
exit(1);
}
break;
case OP_SLAVE_DUMP:
if ((dump_db (db_name, file, (void (*)()) 0) == EOF) ||
(fclose(file) == EOF)) {
fprintf(stderr, "error on file %s:", file_name);
perror("");
exit(1);
}
update_ok_file (file_name);
break;
case OP_LOAD:
load_db (db_name, file);
break;
case OP_NEW_MASTER:
convert_new_master_key (db_name, file);
printf("Don't forget to do a `kdb_util load %s' to reload the database!\n", file_name);
break;
case OP_CONVERT_OLD_DB:
convert_old_format_db (db_name, file);
printf("Don't forget to do a `kdb_util load %s' to reload the database!\n", file_name);
break;
}
exit(0);
}
void
clear_secrets ()
{
bzero((char *)master_key, sizeof (des_cblock));
bzero((char *)master_key_schedule, sizeof (Key_schedule));
bzero((char *)new_master_key, sizeof (des_cblock));
bzero((char *)new_master_key_schedule, sizeof (Key_schedule));
}
/* cv_key is a procedure which takes a principle and changes its key,
either for a new method of encrypting the keys, or a new master key.
if cv_key is null no transformation of key is done (other than net byte
order). */
struct callback_args {
void (*cv_key)();
FILE *output_file;
};
static int dump_db_1(arg, principal)
char *arg;
Principal *principal;
{ /* replace null strings with "*" */
struct callback_args *a = (struct callback_args *)arg;
if (principal->instance[0] == '\0') {
principal->instance[0] = '*';
principal->instance[1] = '\0';
}
if (principal->mod_name[0] == '\0') {
principal->mod_name[0] = '*';
principal->mod_name[1] = '\0';
}
if (principal->mod_instance[0] == '\0') {
principal->mod_instance[0] = '*';
principal->mod_instance[1] = '\0';
}
if (a->cv_key != NULL) {
(*a->cv_key) (principal);
}
fprintf(a->output_file, "%s %s %d %d %d %d %lx %lx",
principal->name,
principal->instance,
principal->max_life,
principal->kdc_key_ver,
principal->key_version,
principal->attributes,
htonl (principal->key_low),
htonl (principal->key_high));
print_time(a->output_file, principal->exp_date);
print_time(a->output_file, principal->mod_date);
fprintf(a->output_file, " %s %s\n",
principal->mod_name,
principal->mod_instance);
return 0;
}
int
dump_db (db_file, output_file, cv_key)
char *db_file;
FILE *output_file;
void (*cv_key)();
{
struct callback_args a;
a.cv_key = cv_key;
a.output_file = output_file;
kerb_db_iterate (dump_db_1, (char *)&a);
return fflush(output_file);
}
void
load_db (db_file, input_file)
char *db_file;
FILE *input_file;
{
char exp_date_str[50];
char mod_date_str[50];
int temp1, temp2, temp3;
long time_explode();
int code;
char *temp_db_file;
temp1 = strlen(db_file)+2;
temp_db_file = malloc (temp1);
strcpy(temp_db_file, db_file);
strcat(temp_db_file, "~");
/* Create the database */
if ((code = kerb_db_create(temp_db_file)) != 0) {
fprintf(stderr, "Couldn't create temp database %s: %s\n",
temp_db_file, sys_errlist[code]);
exit(1);
}
kerb_db_set_name(temp_db_file);
for (;;) { /* explicit break on eof from fscanf */
bzero((char *)&aprinc, sizeof(aprinc));
if (fscanf(input_file,
"%s %s %d %d %d %hd %lx %lx %s %s %s %s\n",
aprinc.name,
aprinc.instance,
&temp1,
&temp2,
&temp3,
&aprinc.attributes,
&aprinc.key_low,
&aprinc.key_high,
exp_date_str,
mod_date_str,
aprinc.mod_name,
aprinc.mod_instance) == EOF)
break;
aprinc.key_low = ntohl (aprinc.key_low);
aprinc.key_high = ntohl (aprinc.key_high);
aprinc.max_life = (unsigned char) temp1;
aprinc.kdc_key_ver = (unsigned char) temp2;
aprinc.key_version = (unsigned char) temp3;
aprinc.exp_date = time_explode(exp_date_str);
aprinc.mod_date = time_explode(mod_date_str);
if (aprinc.instance[0] == '*')
aprinc.instance[0] = '\0';
if (aprinc.mod_name[0] == '*')
aprinc.mod_name[0] = '\0';
if (aprinc.mod_instance[0] == '*')
aprinc.mod_instance[0] = '\0';
if (kerb_db_put_principal(&aprinc, 1) != 1) {
fprintf(stderr, "Couldn't store %s.%s: %s; load aborted\n",
aprinc.name, aprinc.instance,
sys_errlist[errno]);
exit(1);
};
}
if ((code = kerb_db_rename(temp_db_file, db_file)) != 0)
perror("database rename failed");
(void) fclose(input_file);
free(temp_db_file);
}
void
print_time(file, timeval)
FILE *file;
unsigned long timeval;
{
struct tm *tm;
struct tm *gmtime();
tm = gmtime((long *)&timeval);
fprintf(file, " %04d%02d%02d%02d%02d",
tm->tm_year < 1900 ? tm->tm_year + 1900: tm->tm_year,
tm->tm_mon + 1,
tm->tm_mday,
tm->tm_hour,
tm->tm_min);
}
/*ARGSUSED*/
void
update_ok_file (file_name)
char *file_name;
{
/* handle slave locking/failure stuff */
char *file_ok;
int fd;
static char ok[]=".dump_ok";
if ((file_ok = (char *)malloc(strlen(file_name) + strlen(ok) + 1))
== NULL) {
fprintf(stderr, "kdb_util: out of memory.\n");
(void) fflush (stderr);
perror ("malloc");
exit (1);
}
strcpy(file_ok, file_name);
strcat(file_ok, ok);
if ((fd = open(file_ok, O_WRONLY|O_CREAT|O_TRUNC, 0400)) < 0) {
fprintf(stderr, "Error creating 'ok' file, '%s'", file_ok);
perror("");
(void) fflush (stderr);
exit (1);
}
free(file_ok);
close(fd);
}
void
convert_key_new_master (p)
Principal *p;
{
des_cblock key;
/* leave null keys alone */
if ((p->key_low == 0) && (p->key_high == 0)) return;
/* move current key to des_cblock for encryption, special case master key
since that's changing */
if ((strncmp (p->name, KERB_M_NAME, ANAME_SZ) == 0) &&
(strncmp (p->instance, KERB_M_INST, INST_SZ) == 0)) {
bcopy((char *)new_master_key, (char *) key, sizeof (des_cblock));
(p->key_version)++;
} else {
bcopy((char *)&(p->key_low), (char *)key, 4);
bcopy((char *)&(p->key_high), (char *) (((long *) key) + 1), 4);
kdb_encrypt_key (key, key, master_key, master_key_schedule, DECRYPT);
}
kdb_encrypt_key (key, key, new_master_key, new_master_key_schedule, ENCRYPT);
bcopy((char *)key, (char *)&(p->key_low), 4);
bcopy((char *)(((long *) key) + 1), (char *)&(p->key_high), 4);
bzero((char *)key, sizeof (key)); /* a little paranoia ... */
(p->kdc_key_ver)++;
}
void
convert_new_master_key (db_file, out)
char *db_file;
FILE *out;
{
printf ("\n\nEnter the CURRENT master key.");
if (kdb_get_master_key (TRUE, master_key, master_key_schedule) != 0) {
fprintf (stderr, "get_master_key: Couldn't get master key.\n");
clear_secrets ();
exit (-1);
}
if (kdb_verify_master_key (master_key, master_key_schedule, stderr) < 0) {
clear_secrets ();
exit (-1);
}
printf ("\n\nNow enter the NEW master key. Do not forget it!!");
if (kdb_get_master_key (TRUE, new_master_key, new_master_key_schedule) != 0) {
fprintf (stderr, "get_master_key: Couldn't get new master key.\n");
clear_secrets ();
exit (-1);
}
dump_db (db_file, out, convert_key_new_master);
}
void
convert_key_old_db (p)
Principal *p;
{
des_cblock key;
/* leave null keys alone */
if ((p->key_low == 0) && (p->key_high == 0)) return;
bcopy((char *)&(p->key_low), (char *)key, 4);
bcopy((char *)&(p->key_high), (char *)(((long *) key) + 1), 4);
#ifndef NOENCRYPTION
des_pcbc_encrypt((des_cblock *)key,(des_cblock *)key,
(long)sizeof(des_cblock),master_key_schedule,
(des_cblock *)master_key_schedule,DECRYPT);
#endif
/* make new key, new style */
kdb_encrypt_key (key, key, master_key, master_key_schedule, ENCRYPT);
bcopy((char *)key, (char *)&(p->key_low), 4);
bcopy((char *)(((long *) key) + 1), (char *)&(p->key_high), 4);
bzero((char *)key, sizeof (key)); /* a little paranoia ... */
}
void
convert_old_format_db (db_file, out)
char *db_file;
FILE *out;
{
des_cblock key_from_db;
Principal principal_data[1];
int n, more;
if (kdb_get_master_key (TRUE, master_key, master_key_schedule) != 0L) {
fprintf (stderr, "verify_master_key: Couldn't get master key.\n");
clear_secrets();
exit (-1);
}
/* can't call kdb_verify_master_key because this is an old style db */
/* lookup the master key version */
n = kerb_get_principal(KERB_M_NAME, KERB_M_INST, principal_data,
1 /* only one please */, &more);
if ((n != 1) || more) {
fprintf(stderr, "verify_master_key: "
"Kerberos error on master key lookup, %d found.\n",
n);
exit (-1);
}
/* set up the master key */
fprintf(stderr, "Current Kerberos master key version is %d.\n",
principal_data[0].kdc_key_ver);
/*
* now use the master key to decrypt (old style) the key in the db, had better
* be the same!
*/
bcopy((char *)&principal_data[0].key_low, (char *)key_from_db, 4);
bcopy((char *)&principal_data[0].key_high,
(char *)(((long *) key_from_db) + 1), 4);
#ifndef NOENCRYPTION
des_pcbc_encrypt((des_cblock *)key_from_db,(des_cblock *)key_from_db,
(long)sizeof(key_from_db),master_key_schedule,
(des_cblock *)master_key_schedule,DECRYPT);
#endif
/* the decrypted database key had better equal the master key */
n = bcmp((char *) master_key, (char *) key_from_db,
sizeof(master_key));
bzero((char *)key_from_db, sizeof(key_from_db));
if (n) {
fprintf(stderr, "\n\07\07verify_master_key: Invalid master key, ");
fprintf(stderr, "does not match database.\n");
exit (-1);
}
fprintf(stderr, "Master key verified.\n");
(void) fflush(stderr);
dump_db (db_file, out, convert_key_old_db);
}
long
time_explode(cp)
register char *cp;
{
char wbuf[5];
struct tm tp;
long maketime();
int local;
zaptime(&tp); /* clear out the struct */
if (strlen(cp) > 10) { /* new format */
(void) strncpy(wbuf, cp, 4);
wbuf[4] = 0;
tp.tm_year = atoi(wbuf);
cp += 4; /* step over the year */
local = 0; /* GMT */
} else { /* old format: local time,
year is 2 digits, assuming 19xx */
wbuf[0] = *cp++;
wbuf[1] = *cp++;
wbuf[2] = 0;
tp.tm_year = 1900 + atoi(wbuf);
local = 1; /* local */
}
wbuf[0] = *cp++;
wbuf[1] = *cp++;
wbuf[2] = 0;
tp.tm_mon = atoi(wbuf)-1;
wbuf[0] = *cp++;
wbuf[1] = *cp++;
tp.tm_mday = atoi(wbuf);
wbuf[0] = *cp++;
wbuf[1] = *cp++;
tp.tm_hour = atoi(wbuf);
wbuf[0] = *cp++;
wbuf[1] = *cp++;
tp.tm_min = atoi(wbuf);
return(maketime(&tp, local));
}
-11
View File
@@ -1,11 +0,0 @@
# From: @(#)Makefile 5.1 (Berkeley) 6/25/90
# $Id: Makefile,v 1.3 1995/07/18 16:37:42 mark Exp $
PROG= kdestroy
CFLAGS+=-DKERBEROS -DDEBUG -I${.CURDIR}/../include -DBSD42 -Wall
DPADD= ${LIBKRB}
LDADD= -L${KRBOBJDIR} -lkrb -ldes
BINDIR= /usr/bin
MAN1= kdestroy.1
.include <bsd.prog.mk>
-81
View File
@@ -1,81 +0,0 @@
.\" from: kdestroy.1,v 4.9 89/01/23 11:39:50 jtkohl Exp $
.\" $Id: kdestroy.1,v 1.2 1994/07/19 19:27:32 g89r4222 Exp $
.\" Copyright 1989 by the Massachusetts Institute of Technology.
.\"
.\" For copying and distribution information,
.\" please see the file <Copyright.MIT>.
.\"
.TH KDESTROY 1 "Kerberos Version 4.0" "MIT Project Athena"
.SH NAME
kdestroy \- destroy Kerberos tickets
.SH SYNOPSIS
.B kdestroy
[
.B \-f
]
[
.B \-q
]
.SH DESCRIPTION
The
.I kdestroy
utility destroys the user's active
Kerberos
authorization tickets by writing zeros to the file that contains them.
If the ticket file does not exist,
.I kdestroy
displays a message to that effect.
.PP
After overwriting the file,
.I kdestroy
removes the file from the system.
The utility
displays a message indicating the success or failure of the
operation.
If
.I kdestroy
is unable to destroy the ticket file,
the utility will warn you by making your terminal beep.
.PP
In the Athena workstation environment,
the
.I toehold
service automatically destroys your tickets when you
end a workstation session.
If your site does not provide a similar ticket-destroying mechanism,
you can place the
.I kdestroy
command in your
.I .logout
file so that your tickets are destroyed automatically
when you logout.
.PP
The options to
.I kdestroy
are as follows:
.TP 7
.B \-f
.I kdestroy
runs without displaying the status message.
.TP
.B \-q
.I kdestroy
will not make your terminal beep if it fails to destroy the tickets.
.SH FILES
KRBTKFILE environment variable if set, otherwise
.br
/tmp/tkt[uid]
.SH SEE ALSO
kerberos(1), kinit(1), klist(1)
.SH BUGS
.PP
Only the tickets in the user's current ticket file are destroyed.
Separate ticket files are used to hold root instance and password
changing tickets. These files should probably be destroyed too, or
all of a user's tickets kept in a single ticket file.
.SH AUTHORS
Steve Miller, MIT Project Athena/Digital Equipment Corporation
.br
Clifford Neuman, MIT Project Athena
.br
Bill Sommerfeld, MIT Project Athena
-83
View File
@@ -1,83 +0,0 @@
/*
* Copyright 1987, 1988 by the Massachusetts Institute of Technology.
* For copying and distribution information, please see the file
* <Copyright.MIT>.
*
* This program causes Kerberos tickets to be destroyed.
* Options are:
*
* -q[uiet] - no bell even if tickets not destroyed
* -f[orce] - no message printed at all
*
* from: kdestroy.c,v 4.5 88/03/18 15:16:02 steiner Exp $
* $Id: kdestroy.c,v 1.3 1995/07/18 16:37:44 mark Exp $
*/
#if 0
#ifndef lint
static char rcsid[] =
"$Id: kdestroy.c,v 1.3 1995/07/18 16:37:44 mark Exp $";
#endif lint
#endif
#include <stdio.h>
#include <krb.h>
#ifdef BSD42
#include <strings.h>
#endif BSD42
static char *pname;
static void
usage()
{
fprintf(stderr, "Usage: %s [-f] [-q]\n", pname);
exit(1);
}
int
main(argc, argv)
int argc;
char *argv[];
{
int fflag=0, qflag=0, k_errno;
register char *cp;
cp = rindex (argv[0], '/');
if (cp == NULL)
pname = argv[0];
else
pname = cp+1;
if (argc > 2)
usage();
else if (argc == 2) {
if (!strcmp(argv[1], "-f"))
++fflag;
else if (!strcmp(argv[1], "-q"))
++qflag;
else usage();
}
k_errno = dest_tkt();
if (fflag) {
if (k_errno != 0 && k_errno != RET_TKFIL)
exit(1);
else
exit(0);
} else {
if (k_errno == 0)
printf("Tickets destroyed.\n");
else if (k_errno == RET_TKFIL)
fprintf(stderr, "No tickets to destroy.\n");
else {
fprintf(stderr, "Tickets NOT destroyed.\n");
if (!qflag)
fprintf(stderr, "\007");
exit(1);
}
}
exit(0);
}
-11
View File
@@ -1,11 +0,0 @@
# From: @(#)Makefile 5.1 (Berkeley) 6/25/90
# $Id: Makefile,v 1.3 1995/07/18 16:37:47 mark Exp $
PROG= kerberos
SRCS= kerberos.c cr_err_reply.c
CFLAGS+=-DKERBEROS -DDEBUG -I${.CURDIR}/../include -Wall
DPADD= ${LIBKDB} ${LIBKRB}
LDADD= -L${KDBOBJDIR} -lkdb -L${KRBOBJDIR} -lkrb -ldes
NOMAN= noman
.include <bsd.prog.mk>
-97
View File
@@ -1,97 +0,0 @@
/*
* Copyright 1985, 1986, 1987, 1988 by the Massachusetts Institute
* of Technology.
* For copying and distribution information, please see the file
* <Copyright.MIT>.
*
* from: cr_err_reply.c,v 4.10 89/01/10 11:34:42 steiner Exp $
* $Id: cr_err_reply.c,v 1.2 1995/07/18 16:37:49 mark Exp $
*/
#if 0
#ifndef lint
static char rcsid[] =
"$Id: cr_err_reply.c,v 1.2 1995/07/18 16:37:49 mark Exp $";
#endif /* lint */
#endif
#include <sys/types.h>
#include <krb.h>
#include <prot.h>
#include <strings.h>
extern int req_act_vno; /* this is defined in the kerberos
* server code */
/*
* This routine is used by the Kerberos authentication server to
* create an error reply packet to send back to its client.
*
* It takes a pointer to the packet to be built, the name, instance,
* and realm of the principal, the client's timestamp, an error code
* and an error string as arguments. Its return value is undefined.
*
* The packet is built in the following format:
*
* type variable data
* or constant
* ---- ----------- ----
*
* unsigned char req_ack_vno protocol version number
*
* unsigned char AUTH_MSG_ERR_REPLY protocol message type
*
* [least significant HOST_BYTE_ORDER sender's (server's) byte
* bit of above field] order
*
* string pname principal's name
*
* string pinst principal's instance
*
* string prealm principal's realm
*
* unsigned long time_ws client's timestamp
*
* unsigned long e error code
*
* string e_string error text
*/
void
cr_err_reply(pkt,pname,pinst,prealm,time_ws,e,e_string)
KTEXT pkt;
char *pname; /* Principal's name */
char *pinst; /* Principal's instance */
char *prealm; /* Principal's authentication domain */
u_long time_ws; /* Workstation time */
u_long e; /* Error code */
char *e_string; /* Text of error */
{
u_char *v = (u_char *) pkt->dat; /* Prot vers number */
u_char *t = (u_char *)(pkt->dat+1); /* Prot message type */
/* Create fixed part of packet */
*v = (unsigned char) req_act_vno; /* KRB_PROT_VERSION; */
*t = (unsigned char) AUTH_MSG_ERR_REPLY;
*t |= HOST_BYTE_ORDER;
/* Add the basic info */
(void) strcpy((char *) (pkt->dat+2),pname);
pkt->length = 3 + strlen(pname);
(void) strcpy((char *)(pkt->dat+pkt->length),pinst);
pkt->length += 1 + strlen(pinst);
(void) strcpy((char *)(pkt->dat+pkt->length),prealm);
pkt->length += 1 + strlen(prealm);
/* ws timestamp */
bcopy((char *) &time_ws,(char *)(pkt->dat+pkt->length),4);
pkt->length += 4;
/* err code */
bcopy((char *) &e,(char *)(pkt->dat+pkt->length),4);
pkt->length += 4;
/* err text */
(void) strcpy((char *)(pkt->dat+pkt->length),e_string);
pkt->length += 1 + strlen(e_string);
/* And return */
return;
}
-816
View File
@@ -1,816 +0,0 @@
/*
* Copyright 1985, 1986, 1987, 1988 by the Massachusetts Institute
* of Technology.
* For copying and distribution information, please see the file
* <Copyright.MIT>.
*
* from: kerberos.c,v 4.19 89/11/01 17:18:07 qjb Exp $
* $Id: kerberos.c,v 1.4 1995/07/18 16:37:51 mark Exp $
*/
#if 0
#ifndef lint
static char rcsid[] =
"$Id: kerberos.c,v 1.4 1995/07/18 16:37:51 mark Exp $";
#endif lint
#endif
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <errno.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <signal.h>
#include <sgtty.h>
#include <sys/ioctl.h>
#include <sys/time.h>
#include <sys/file.h>
#include <ctype.h>
#include <krb.h>
#include <des.h>
#include <klog.h>
#include <prot.h>
#include <krb_db.h>
#include <kdc.h>
void cr_err_reply(KTEXT pkt, char *pname, char *pinst, char *prealm,
u_long time_ws, u_long e, char *e_string);
void kerb_err_reply(struct sockaddr_in *client, KTEXT pkt, long err,
char *string);
void setup_disc(void);
void kerberos(struct sockaddr_in *client, KTEXT pkt);
int check_princ(char *p_name, char *instance, unsigned lifetime, Principal *p);
int set_tgtkey(char *r);
struct sockaddr_in s_in = {AF_INET};
int f;
/* XXX several files in libkdb know about this */
char *progname;
static Key_schedule master_key_schedule;
static C_Block master_key;
static struct timeval kerb_time;
static Principal a_name_data; /* for requesting user */
static Principal s_name_data; /* for services requested */
static C_Block session_key;
static u_char master_key_version;
static char k_instance[INST_SZ];
static char *lt;
static int more;
static int mflag; /* Are we invoked manually? */
static int lflag; /* Have we set an alterate log file? */
static char *log_file; /* name of alt. log file */
static int nflag; /* don't check max age */
static int rflag; /* alternate realm specified */
/* fields within the received request packet */
static u_char req_msg_type;
static u_char req_version;
static char *req_name_ptr;
static char *req_inst_ptr;
static char *req_realm_ptr;
static u_long req_time_ws;
int req_act_vno = KRB_PROT_VERSION; /* Temporary for version skew */
static char local_realm[REALM_SZ];
/* statistics */
static long q_bytes; /* current bytes remaining in queue */
static long q_n; /* how many consecutive non-zero
* q_bytes */
static long max_q_bytes;
static long max_q_n;
static long n_auth_req;
static long n_appl_req;
static long n_packets;
static long max_age = -1;
static long pause_int = -1;
static void check_db_age();
static void hang();
/*
* Print usage message and exit.
*/
static void usage()
{
fprintf(stderr, "Usage: %s [-s] [-m] [-n] [-p pause_seconds]%s%s\n", progname,
" [-a max_age] [-l log_file] [-r realm]"
," [database_pathname]"
);
exit(1);
}
int
main(argc, argv)
int argc;
char **argv;
{
struct sockaddr_in from;
register int n;
int on = 1;
int child;
struct servent *sp;
int fromlen;
static KTEXT_ST pkt_st;
KTEXT pkt = &pkt_st;
int kerror;
int c;
extern char *optarg;
extern int optind;
progname = argv[0];
while ((c = getopt(argc, argv, "snmp:a:l:r:")) != EOF) {
switch(c) {
case 's':
/*
* Set parameters to slave server defaults.
*/
if (max_age == -1 && !nflag)
max_age = ONE_DAY; /* 24 hours */
if (pause_int == -1)
pause_int = FIVE_MINUTES; /* 5 minutes */
if (lflag == 0) {
log_file = KRBSLAVELOG;
lflag++;
}
break;
case 'n':
max_age = -1; /* don't check max age. */
nflag++;
break;
case 'm':
mflag++; /* running manually; prompt for master key */
break;
case 'p':
/* Set pause interval. */
if (!isdigit(optarg[0]))
usage();
pause_int = atoi(optarg);
if ((pause_int < 5) || (pause_int > ONE_HOUR)) {
fprintf(stderr, "pause_int must be between 5 and 3600 seconds.\n");
usage();
}
break;
case 'a':
/* Set max age. */
if (!isdigit(optarg[0]))
usage();
max_age = atoi(optarg);
if ((max_age < ONE_HOUR) || (max_age > THREE_DAYS)) {
fprintf(stderr, "max_age must be between one hour and three days, in seconds\n");
usage();
}
break;
case 'l':
/* Set alternate log file */
lflag++;
log_file = optarg;
break;
case 'r':
/* Set realm name */
rflag++;
strcpy(local_realm, optarg);
break;
default:
usage();
break;
}
}
if (optind == (argc-1)) {
if (kerb_db_set_name(argv[optind]) != 0) {
fprintf(stderr, "Could not set alternate database name\n");
exit(1);
}
optind++;
}
if (optind != argc)
usage();
printf("Kerberos server starting\n");
if ((!nflag) && (max_age != -1))
printf("\tMaximum database age: %ld seconds\n", max_age);
if (pause_int != -1)
printf("\tSleep for %ld seconds on error\n", pause_int);
else
printf("\tSleep forever on error\n");
if (mflag)
printf("\tMaster key will be entered manually\n");
printf("\tLog file is %s\n", lflag ? log_file : KRBLOG);
if (lflag)
kset_logfile(log_file);
/* find our hostname, and use it as the instance */
if (gethostname(k_instance, INST_SZ)) {
fprintf(stderr, "%s: gethostname error\n", progname);
exit(1);
}
if ((sp = getservbyname("kerberos", "udp")) == 0) {
fprintf(stderr, "%s: udp/kerberos unknown service\n", progname);
exit(1);
}
s_in.sin_port = sp->s_port;
if ((f = socket(AF_INET, SOCK_DGRAM, 0)) < 0) {
fprintf(stderr, "%s: Can't open socket\n", progname);
exit(1);
}
if (setsockopt(f, SOL_SOCKET, SO_REUSEADDR, &on, sizeof(on)) < 0)
fprintf(stderr, "%s: setsockopt (SO_REUSEADDR)\n", progname);
if (bind(f, (struct sockaddr *) &s_in, S_AD_SZ) < 0) {
fprintf(stderr, "%s: Can't bind socket\n", progname);
exit(1);
}
/* do all the database and cache inits */
if ((n = kerb_init())) {
if (mflag) {
printf("Kerberos db and cache init ");
printf("failed = %d ...exiting\n", n);
exit(-1);
} else {
klog(L_KRB_PERR,
"Kerberos db and cache init failed = %d ...exiting", n);
hang();
}
}
/* Make sure database isn't stale */
check_db_age();
/* setup master key */
if (kdb_get_master_key (mflag, master_key, master_key_schedule) != 0) {
klog (L_KRB_PERR, "kerberos: couldn't get master key.\n");
exit (-1);
}
kerror = kdb_verify_master_key (master_key, master_key_schedule, stdout);
if (kerror < 0) {
klog (L_KRB_PERR, "Can't verify master key.");
bzero (master_key, sizeof (master_key));
bzero (master_key_schedule, sizeof (master_key_schedule));
exit (-1);
}
master_key_version = (u_char) kerror;
fprintf(stdout, "\nCurrent Kerberos master key version is %d\n",
master_key_version);
if (!rflag) {
/* Look up our local realm */
krb_get_lrealm(local_realm, 1);
}
fprintf(stdout, "Local realm: %s\n", local_realm);
fflush(stdout);
if (set_tgtkey(local_realm)) {
/* Ticket granting service unknown */
klog(L_KRB_PERR, "Ticket granting ticket service unknown");
fprintf(stderr, "Ticket granting ticket service unknown\n");
exit(1);
}
if (mflag) {
if ((child = fork()) != 0) {
printf("Kerberos started, PID=%d\n", child);
exit(0);
}
setup_disc();
}
/* receive loop */
for (;;) {
fromlen = S_AD_SZ;
n = recvfrom(f, pkt->dat, MAX_PKT_LEN, 0, (struct sockaddr *) &from,
&fromlen);
if (n > 0) {
pkt->length = n;
pkt->mbz = 0; /* force zeros to catch runaway strings */
/* see what is left in the input queue */
ioctl(f, FIONREAD, &q_bytes);
gettimeofday(&kerb_time, NULL);
q_n++;
max_q_n = max(max_q_n, q_n);
n_packets++;
klog(L_NET_INFO,
"q_byt %d, q_n %d, rd_byt %d, mx_q_b %d, mx_q_n %d, n_pkt %d",
q_bytes, q_n, n, max_q_bytes, max_q_n, n_packets, 0);
max_q_bytes = max(max_q_bytes, q_bytes);
if (!q_bytes)
q_n = 0; /* reset consecutive packets */
kerberos(&from, pkt);
} else
klog(L_NET_ERR,
"%s: bad recvfrom n = %d errno = %d", progname, n, errno, 0);
}
}
void
kerberos(client, pkt)
struct sockaddr_in *client;
KTEXT pkt;
{
static KTEXT_ST rpkt_st;
KTEXT rpkt = &rpkt_st;
static KTEXT_ST ciph_st;
KTEXT ciph = &ciph_st;
static KTEXT_ST tk_st;
KTEXT tk = &tk_st;
static KTEXT_ST auth_st;
KTEXT auth = &auth_st;
AUTH_DAT ad_st;
AUTH_DAT *ad = &ad_st;
static struct in_addr client_host;
static int msg_byte_order;
static int swap_bytes;
static u_char k_flags;
u_long lifetime;
int i;
C_Block key;
Key_schedule key_s;
char *ptr;
ciph->length = 0;
client_host = client->sin_addr;
/* eval macros and correct the byte order and alignment as needed */
req_version = pkt_version(pkt); /* 1 byte, version */
req_msg_type = pkt_msg_type(pkt); /* 1 byte, Kerberos msg type */
req_act_vno = req_version;
/* check packet version */
if (req_version != KRB_PROT_VERSION) {
lt = klog(L_KRB_PERR,
"KRB prot version mismatch: KRB =%d request = %d",
KRB_PROT_VERSION, req_version, 0);
/* send an error reply */
kerb_err_reply(client, pkt, KERB_ERR_PKT_VER, lt);
return;
}
msg_byte_order = req_msg_type & 1;
swap_bytes = 0;
if (msg_byte_order != HOST_BYTE_ORDER) {
swap_bytes++;
}
klog(L_KRB_PINFO,
"Prot version: %d, Byte order: %d, Message type: %d",
req_version, msg_byte_order, req_msg_type);
switch (req_msg_type & ~1) {
case AUTH_MSG_KDC_REQUEST:
{
u_long req_life; /* Requested liftime */
char *service; /* Service name */
char *instance; /* Service instance */
n_auth_req++;
tk->length = 0;
k_flags = 0; /* various kerberos flags */
/* set up and correct for byte order and alignment */
req_name_ptr = (char *) pkt_a_name(pkt);
req_inst_ptr = (char *) pkt_a_inst(pkt);
req_realm_ptr = (char *) pkt_a_realm(pkt);
bcopy(pkt_time_ws(pkt), &req_time_ws, sizeof(req_time_ws));
/* time has to be diddled */
if (swap_bytes) {
swap_u_long(req_time_ws);
}
ptr = (char *) pkt_time_ws(pkt) + 4;
req_life = (u_long) (*ptr++);
service = ptr;
instance = ptr + strlen(service) + 1;
rpkt = &rpkt_st;
klog(L_INI_REQ,
"Initial ticket request Host: %s User: \"%s\" \"%s\"",
inet_ntoa(client_host), req_name_ptr, req_inst_ptr, 0);
if ((i = check_princ(req_name_ptr, req_inst_ptr, 0,
&a_name_data))) {
kerb_err_reply(client, pkt, i, lt);
return;
}
tk->length = 0; /* init */
if (strcmp(service, "krbtgt"))
klog(L_NTGT_INTK,
"INITIAL request from %s.%s for %s.%s",
req_name_ptr, req_inst_ptr, service, instance, 0);
/* this does all the checking */
if ((i = check_princ(service, instance, lifetime,
&s_name_data))) {
kerb_err_reply(client, pkt, i, lt);
return;
}
/* Bound requested lifetime with service and user */
lifetime = min(req_life, ((u_long) s_name_data.max_life));
lifetime = min(lifetime, ((u_long) a_name_data.max_life));
#ifdef NOENCRYPTION
bzero(session_key, sizeof(C_Block));
#else
random_key(session_key);
#endif
/* unseal server's key from master key */
bcopy(&s_name_data.key_low, key, 4);
bcopy(&s_name_data.key_high, ((long *) key) + 1, 4);
kdb_encrypt_key(key, key, master_key,
master_key_schedule, DECRYPT);
/* construct and seal the ticket */
krb_create_ticket(tk, k_flags, a_name_data.name,
a_name_data.instance, local_realm,
client_host.s_addr, session_key, lifetime, kerb_time.tv_sec,
s_name_data.name, s_name_data.instance, key);
bzero(key, sizeof(key));
bzero(key_s, sizeof(key_s));
/*
* get the user's key, unseal it from the server's key, and
* use it to seal the cipher
*/
/* a_name_data.key_low a_name_data.key_high */
bcopy(&a_name_data.key_low, key, 4);
bcopy(&a_name_data.key_high, ((long *) key) + 1, 4);
/* unseal the a_name key from the master key */
kdb_encrypt_key(key, key, master_key,
master_key_schedule, DECRYPT);
create_ciph(ciph, session_key, s_name_data.name,
s_name_data.instance, local_realm, lifetime,
s_name_data.key_version, tk, kerb_time.tv_sec, key);
/* clear session key */
bzero(session_key, sizeof(session_key));
bzero(key, sizeof(key));
/* always send a reply packet */
rpkt = create_auth_reply(req_name_ptr, req_inst_ptr,
req_realm_ptr, req_time_ws, 0, a_name_data.exp_date,
a_name_data.key_version, ciph);
sendto(f, rpkt->dat, rpkt->length, 0, (struct sockaddr *) client,
S_AD_SZ);
bzero(&a_name_data, sizeof(a_name_data));
bzero(&s_name_data, sizeof(s_name_data));
break;
}
case AUTH_MSG_APPL_REQUEST:
{
u_long time_ws; /* Workstation time */
u_long req_life; /* Requested liftime */
char *service; /* Service name */
char *instance; /* Service instance */
int kerno; /* Kerberos error number */
char tktrlm[REALM_SZ];
n_appl_req++;
tk->length = 0;
k_flags = 0; /* various kerberos flags */
auth->length = 4 + strlen(pkt->dat + 3);
auth->length += (int) *(pkt->dat + auth->length) +
(int) *(pkt->dat + auth->length + 1) + 2;
bcopy(pkt->dat, auth->dat, auth->length);
strncpy(tktrlm, auth->dat + 3, REALM_SZ);
if (set_tgtkey(tktrlm)) {
lt = klog(L_ERR_UNK,
"FAILED realm %s unknown. Host: %s ",
tktrlm, inet_ntoa(client_host));
kerb_err_reply(client, pkt, kerno, lt);
return;
}
kerno = krb_rd_req(auth, "ktbtgt", tktrlm, client_host.s_addr,
ad, 0);
if (kerno) {
klog(L_ERR_UNK, "FAILED krb_rd_req from %s: %s",
inet_ntoa(client_host), krb_err_txt[kerno]);
kerb_err_reply(client, pkt, kerno, "krb_rd_req failed");
return;
}
ptr = (char *) pkt->dat + auth->length;
bcopy(ptr, &time_ws, 4);
ptr += 4;
req_life = (u_long) (*ptr++);
service = ptr;
instance = ptr + strlen(service) + 1;
klog(L_APPL_REQ, "APPL Request %s.%s@%s on %s for %s.%s",
ad->pname, ad->pinst, ad->prealm, inet_ntoa(client_host),
service, instance, 0);
if (strcmp(ad->prealm, tktrlm)) {
kerb_err_reply(client, pkt, KERB_ERR_PRINCIPAL_UNKNOWN,
"Can't hop realms");
return;
}
if (!strcmp(service, "changepw")) {
kerb_err_reply(client, pkt, KERB_ERR_PRINCIPAL_UNKNOWN,
"Can't authorize password changed based on TGT");
return;
}
kerno = check_princ(service, instance, req_life,
&s_name_data);
if (kerno) {
kerb_err_reply(client, pkt, kerno, lt);
return;
}
/* Bound requested lifetime with service and user */
lifetime = min(req_life,
(ad->life - ((kerb_time.tv_sec - ad->time_sec) / 300)));
lifetime = min(lifetime, ((u_long) s_name_data.max_life));
/* unseal server's key from master key */
bcopy(&s_name_data.key_low, key, 4);
bcopy(&s_name_data.key_high, ((long *) key) + 1, 4);
kdb_encrypt_key(key, key, master_key,
master_key_schedule, DECRYPT);
/* construct and seal the ticket */
#ifdef NOENCRYPTION
bzero(session_key, sizeof(C_Block));
#else
random_key(session_key);
#endif
krb_create_ticket(tk, k_flags, ad->pname, ad->pinst,
ad->prealm, client_host.s_addr,
session_key, lifetime, kerb_time.tv_sec,
s_name_data.name, s_name_data.instance,
key);
bzero(key, sizeof(key));
bzero(key_s, sizeof(key_s));
create_ciph(ciph, session_key, service, instance,
local_realm,
lifetime, s_name_data.key_version, tk,
kerb_time.tv_sec, ad->session);
/* clear session key */
bzero(session_key, sizeof(session_key));
bzero(ad->session, sizeof(ad->session));
rpkt = create_auth_reply(ad->pname, ad->pinst,
ad->prealm, time_ws,
0, 0, 0, ciph);
sendto(f, rpkt->dat, rpkt->length, 0, (struct sockaddr *) client,
S_AD_SZ);
bzero(&s_name_data, sizeof(s_name_data));
break;
}
#ifdef notdef_DIE
case AUTH_MSG_DIE:
{
lt = klog(L_DEATH_REQ,
"Host: %s User: \"%s\" \"%s\" Kerberos killed",
inet_ntoa(client_host), req_name_ptr, req_inst_ptr, 0);
exit(0);
}
#endif notdef_DIE
default:
{
lt = klog(L_KRB_PERR,
"Unknown message type: %d from %s port %u",
req_msg_type, inet_ntoa(client_host),
ntohs(client->sin_port));
break;
}
}
}
/*
* setup_disc
*
* disconnect all descriptors, remove ourself from the process
* group that spawned us.
*/
void
setup_disc()
{
int s;
for (s = 0; s < 3; s++) {
(void) close(s);
}
(void) open("/dev/null", 0);
(void) dup2(0, 1);
(void) dup2(0, 2);
s = open("/dev/tty", 2);
if (s >= 0) {
ioctl(s, TIOCNOTTY, (struct sgttyb *) 0);
(void) close(s);
}
(void) chdir("/tmp");
}
/*
* kerb_er_reply creates an error reply packet and sends it to the
* client.
*/
void
kerb_err_reply(client, pkt, err, string)
struct sockaddr_in *client;
KTEXT pkt;
long err;
char *string;
{
static KTEXT_ST e_pkt_st;
KTEXT e_pkt = &e_pkt_st;
static char e_msg[128];
strcpy(e_msg, "\nKerberos error -- ");
strcat(e_msg, string);
cr_err_reply(e_pkt, req_name_ptr, req_inst_ptr, req_realm_ptr,
req_time_ws, err, e_msg);
sendto(f, e_pkt->dat, e_pkt->length, 0, (struct sockaddr *) client,
S_AD_SZ);
}
/*
* Make sure that database isn't stale.
*
* Exit if it is; we don't want to tell lies.
*/
static void check_db_age()
{
long age;
if (max_age != -1) {
/* Requires existance of kerb_get_db_age() */
gettimeofday(&kerb_time, 0);
age = kerb_get_db_age();
if (age == 0) {
klog(L_KRB_PERR, "Database currently being updated!");
hang();
}
if ((age + max_age) < kerb_time.tv_sec) {
klog(L_KRB_PERR, "Database out of date!");
hang();
/* NOTREACHED */
}
}
}
int
check_princ(p_name, instance, lifetime, p)
char *p_name;
char *instance;
unsigned lifetime;
Principal *p;
{
static int n;
static int more;
n = kerb_get_principal(p_name, instance, p, 1, &more);
klog(L_ALL_REQ,
"Principal: \"%s\", Instance: \"%s\" Lifetime = %d n = %d",
p_name, instance, lifetime, n, 0);
if (n < 0) {
lt = klog(L_KRB_PERR, "Database unavailable!");
hang();
}
/*
* if more than one p_name, pick one, randomly create a session key,
* compute maximum lifetime, lookup authorizations if applicable,
* and stuff into cipher.
*/
if (n == 0) {
/* service unknown, log error, skip to next request */
lt = klog(L_ERR_UNK, "UNKNOWN \"%s\" \"%s\"", p_name,
instance, 0);
return KERB_ERR_PRINCIPAL_UNKNOWN;
}
if (more) {
/* not unique, log error */
lt = klog(L_ERR_NUN, "Principal NOT UNIQUE \"%s\" \"%s\"",
p_name, instance, 0);
return KERB_ERR_PRINCIPAL_NOT_UNIQUE;
}
/* If the user's key is null, we want to return an error */
if ((p->key_low == 0) && (p->key_high == 0)) {
/* User has a null key */
lt = klog(L_ERR_NKY, "Null key \"%s\" \"%s\"", p_name,
instance, 0);
return KERB_ERR_NULL_KEY;
}
if (master_key_version != p->kdc_key_ver) {
/* log error reply */
lt = klog(L_ERR_MKV,
"Key vers incorrect, KRB = %d, \"%s\" \"%s\" = %d",
master_key_version, p->name, p->instance, p->kdc_key_ver,
0);
return KERB_ERR_NAME_MAST_KEY_VER;
}
/* make sure the service hasn't expired */
if ((u_long) p->exp_date < (u_long) kerb_time.tv_sec) {
/* service did expire, log it */
lt = klog(L_ERR_SEXP,
"EXPIRED \"%s\" \"%s\" %s", p->name, p->instance,
stime(&(p->exp_date)), 0);
return KERB_ERR_NAME_EXP;
}
/* ok is zero */
return 0;
}
/* Set the key for krb_rd_req so we can check tgt */
int
set_tgtkey(r)
char *r; /* Realm for desired key */
{
int n;
static char lastrealm[REALM_SZ];
Principal p_st;
Principal *p = &p_st;
C_Block key;
if (!strcmp(lastrealm, r))
return (KSUCCESS);
log("Getting key for %s", r);
n = kerb_get_principal("krbtgt", r, p, 1, &more);
if (n == 0)
return (KFAILURE);
/* unseal tgt key from master key */
bcopy(&p->key_low, key, 4);
bcopy(&p->key_high, ((long *) key) + 1, 4);
kdb_encrypt_key(key, key, master_key,
master_key_schedule, DECRYPT);
krb_set_key(key, 0);
strcpy(lastrealm, r);
return (KSUCCESS);
}
static void
hang()
{
if (pause_int == -1) {
klog(L_KRB_PERR, "Kerberos will pause so as not to loop init");
for (;;)
pause();
} else {
char buf[256];
sprintf(buf, "Kerberos will wait %ld seconds before dying so as not to loop init", pause_int);
klog(L_KRB_PERR, buf);
sleep(pause_int);
klog(L_KRB_PERR, "Do svedania....\n");
exit(1);
}
}
-11
View File
@@ -1,11 +0,0 @@
# From: @(#)Makefile 5.1 (Berkeley) 6/25/90
# $Id: Makefile,v 1.3 1995/07/18 16:37:53 mark Exp $
PROG= kinit
CFLAGS+=-DKERBEROS -DDEBUG -I${.CURDIR}/../include -DBSD42 -Wall
DPADD= ${LIBKRB} ${LIBDES}
LDADD= -L${KRBOBJDIR} -lkrb -ldes
BINDIR= /usr/bin
MAN1= kinit.1
.include <bsd.prog.mk>
-133
View File
@@ -1,133 +0,0 @@
.\" from: kinit.1,v 4.6 89/01/23 11:39:11 jtkohl Exp $
.\" $Id: kinit.1,v 1.2 1994/07/19 19:27:36 g89r4222 Exp $
.\" Copyright 1989 by the Massachusetts Institute of Technology.
.\"
.\" For copying and distribution information,
.\" please see the file <Copyright.MIT>.
.\"
.TH KINIT 1 "Kerberos Version 4.0" "MIT Project Athena"
.SH NAME
kinit \- Kerberos login utility
.SH SYNOPSIS
.B kinit
[
.B \-irvl
]
.SH DESCRIPTION
The
.I kinit
command is used to login to the
Kerberos
authentication and authorization system.
Note that only registered
Kerberos
users can use the
Kerberos
system.
For information about registering as a
Kerberos
user,
see the
.I kerberos(1)
manual page.
.PP
If you are logged in to a workstation that is running the
.I toehold
service,
you do not have to use
.I kinit.
The
.I toehold
login procedure will log you into
Kerberos
automatically.
You will need to use
.I kinit
only in those situations in which
your original tickets have expired.
(Tickets expire in about a day.)
Note as well that
.I toehold
will automatically destroy your tickets when you logout from the workstation.
.PP
When you use
.I kinit
without options,
the utility
prompts for your username and Kerberos password,
and tries to authenticate your login with the local
Kerberos
server.
.PP
If
Kerberos
authenticates the login attempt,
.I kinit
retrieves your initial ticket and puts it in the ticket file specified by
your KRBTKFILE environment variable.
If this variable is undefined,
your ticket will be stored in the
.IR /tmp
directory,
in the file
.I tktuid ,
where
.I uid
specifies your user identification number.
.PP
If you have logged in to
Kerberos
without the benefit of the workstation
.I toehold
system,
make sure you use the
.I kdestroy
command to destroy any active tickets before you end your login session.
You may want to put the
.I kdestroy
command in your
.I \.logout
file so that your tickets will be destroyed automatically when you logout.
.PP
The options to
.I kinit
are as follows:
.TP 7
.B \-i
.I kinit
prompts you for a
Kerberos
instance.
.TP
.B \-r
.I kinit
prompts you for a
Kerberos
realm.
This option lets you authenticate yourself with a remote
Kerberos
server.
.TP
.B \-v
Verbose mode.
.I kinit
prints the name of the ticket file used, and
a status message indicating the success or failure of
your login attempt.
.TP
.B \-l
.I kinit
prompts you for a ticket lifetime in minutes. Due to protocol
restrictions in Kerberos Version 4, this value must be between 5 and
1275 minutes.
.SH SEE ALSO
.PP
kerberos(1), kdestroy(1), klist(1), toehold(1)
.SH BUGS
The
.B \-r
option has not been fully implemented.
.SH AUTHORS
Steve Miller, MIT Project Athena/Digital Equipment Corporation
.br
Clifford Neuman, MIT Project Athena
-224
View File
@@ -1,224 +0,0 @@
/*
* Copyright 1987, 1988 by the Massachusetts Institute of Technology.
* For copying and distribution information, please see the file
* <Copyright.MIT>.
*
* Routine to initialize user to Kerberos. Prompts optionally for
* user, instance and realm. Authenticates user and gets a ticket
* for the Kerberos ticket-granting service for future use.
*
* Options are:
*
* -i[instance]
* -r[realm]
* -v[erbose]
* -l[ifetime]
*
* from: kinit.c,v 4.12 90/03/20 16:11:15 jon Exp $
* $Id: kinit.c,v 1.4 1995/08/03 17:16:00 mark Exp $
*/
#if 0
#ifndef lint
static char rcsid[] =
"$Id: kinit.c,v 1.4 1995/08/03 17:16:00 mark Exp $";
#endif lint
#endif
#include <unistd.h>
#include <stdlib.h>
#include <stdio.h>
#include <pwd.h>
#include <krb.h>
#ifndef ORGANIZATION
#define ORGANIZATION "MIT Project Athena"
#endif /*ORGANIZATION*/
#ifdef PC
#define LEN 64 /* just guessing */
#endif PC
#if defined(BSD42) || defined(__FreeBSD__) || defined(__NetBSD__)
#include <strings.h>
#include <sys/param.h>
#if defined(ultrix) || defined(sun)
#define LEN 64
#else
#define LEN MAXHOSTNAMELEN
#endif /* defined(ultrix) || defined(sun) */
#endif /* BSD42 */
#define LIFE 96 /* lifetime of ticket in 5-minute units */
char *progname;
void usage(void);
void
get_input(s, size, stream)
char *s;
int size;
FILE *stream;
{
char *p;
if (fgets(s, size, stream) == NULL)
exit(1);
if ((p = index(s, '\n')) != NULL)
*p = '\0';
}
int
main(argc, argv)
int argc;
char *argv[];
{
char aname[ANAME_SZ];
char inst[INST_SZ];
char realm[REALM_SZ];
char buf[LEN];
char *username = NULL;
int iflag, rflag, vflag, lflag, lifetime, k_errno;
register char *cp;
register i;
*inst = *realm = '\0';
iflag = rflag = vflag = lflag = 0;
lifetime = LIFE;
progname = (cp = rindex(*argv, '/')) ? cp + 1 : *argv;
while (--argc) {
if ((*++argv)[0] != '-') {
if (username)
usage();
username = *argv;
continue;
}
for (i = 1; (*argv)[i] != '\0'; i++)
switch ((*argv)[i]) {
case 'i': /* Instance */
++iflag;
continue;
case 'r': /* Realm */
++rflag;
continue;
case 'v': /* Verbose */
++vflag;
continue;
case 'l':
++lflag;
continue;
default:
usage();
exit(1);
}
}
if (username &&
(k_errno = kname_parse(aname, inst, realm, username))
!= KSUCCESS) {
fprintf(stderr, "%s: %s\n", progname, krb_err_txt[k_errno]);
iflag = rflag = 1;
username = NULL;
}
if (k_gethostname(buf, LEN)) {
fprintf(stderr, "%s: k_gethostname failed\n", progname);
exit(1);
}
printf("%s (%s)\n", ORGANIZATION, buf);
if (username) {
printf("Kerberos Initialization for \"%s", aname);
if (*inst)
printf(".%s", inst);
if (*realm)
printf("@%s", realm);
printf("\"\n");
} else {
if (iflag) {
printf("Kerberos Initialization\n");
printf("Kerberos name: ");
get_input(aname, sizeof(aname), stdin);
} else {
int uid = getuid();
char *getenv();
struct passwd *pwd;
/* default to current user name unless running as root */
if (uid == 0 && (username = getenv("USER")) &&
strcmp(username, "root") != 0) {
strncpy(aname, username, sizeof(aname));
strncpy(inst, "root", sizeof(inst));
} else {
pwd = getpwuid(uid);
if (pwd == (struct passwd *) NULL) {
fprintf(stderr, "Unknown name for your uid\n");
printf("Kerberos name: ");
gets(aname);
} else
strncpy(aname, pwd->pw_name, sizeof(aname));
}
}
if (!*aname)
exit(0);
if (!k_isname(aname)) {
fprintf(stderr, "%s: bad Kerberos name format\n",
progname);
exit(1);
}
}
/* optional instance */
if (iflag) {
printf("Kerberos instance: ");
get_input(inst, sizeof(inst), stdin);
if (!k_isinst(inst)) {
fprintf(stderr, "%s: bad Kerberos instance format\n",
progname);
exit(1);
}
}
if (rflag) {
printf("Kerberos realm: ");
get_input(realm, sizeof(realm), stdin);
if (!k_isrealm(realm)) {
fprintf(stderr, "%s: bad Kerberos realm format\n",
progname);
exit(1);
}
}
if (lflag) {
printf("Kerberos ticket lifetime (minutes): ");
get_input(buf, sizeof(buf), stdin);
lifetime = atoi(buf);
if (lifetime < 5)
lifetime = 1;
else
lifetime /= 5;
/* This should be changed if the maximum ticket lifetime */
/* changes */
if (lifetime > 255)
lifetime = 255;
}
if (!*realm && krb_get_lrealm(realm, 1)) {
fprintf(stderr, "%s: krb_get_lrealm failed\n", progname);
exit(1);
}
k_errno = krb_get_pw_in_tkt(aname, inst, realm, "krbtgt", realm,
lifetime, 0);
if (vflag) {
printf("Kerberos realm %s:\n", realm);
printf("%s\n", krb_err_txt[k_errno]);
} else if (k_errno) {
fprintf(stderr, "%s: %s\n", progname, krb_err_txt[k_errno]);
exit(1);
}
return 0;
}
void
usage()
{
fprintf(stderr, "Usage: %s [-irvl] [name]\n", progname);
exit(1);
}
-11
View File
@@ -1,11 +0,0 @@
# From: @(#)Makefile 5.1 (Berkeley) 6/25/90
# $Id: Makefile,v 1.3 1995/07/18 16:37:57 mark Exp $
PROG= klist
CFLAGS+=-DKERBEROS -DDEBUG -I${.CURDIR}/../include -Wall
DPADD= ${LIBKRB} ${LIBDES}
LDADD= -L${KRBOBJDIR} -lkrb -ldes
BINDIR= /usr/bin
MAN1= klist.1
.include <bsd.prog.mk>
-84
View File
@@ -1,84 +0,0 @@
.\" from: klist.1,v 4.8 89/01/24 14:35:09 jtkohl Exp $
.\" $Id: klist.1,v 1.1.1.1 1994/09/30 14:50:06 csgr Exp $
.\" Copyright 1989 by the Massachusetts Institute of Technology.
.\"
.\" For copying and distribution information,
.\" please see the file <Copyright.MIT>.
.\"
.TH KLIST 1 "Kerberos Version 4.0" "MIT Project Athena"
.SH NAME
klist \- list currently held Kerberos tickets
.SH SYNOPSIS
.B klist
[
\fB\-s \fR|\fB \-t\fR
] [
.B \-file
name ] [
.B \-srvtab
]
.br
.SH DESCRIPTION
.I klist
prints the name of the tickets file and the
identity of the principal the tickets are for (as listed in the
tickets file), and
lists the principal names of all Kerberos tickets currently held by
the user, along with the issue and expire time for each authenticator.
Principal names are listed in the form
.I name.instance@realm,
with the '.' omitted if the instance is null,
and the '@' omitted if the realm is null.
If given the
.B \-s
option,
.I klist
does not print the issue and expire times, the name of the tickets file,
or the identity of the principal.
If given the
.B \-t
option,
.B klist
checks for the existence of a non-expired ticket-granting-ticket in the
ticket file. If one is present, it exits with status 0, else it exits
with status 1. No output is generated when this option is specified.
If given the
.B \-file
option, the following argument is used as the ticket file.
Otherwise, if the
.B KRBTKFILE
environment variable is set, it is used.
If this environment variable
is not set, the file
.B /tmp/tkt[uid]
is used, where
.B uid
is the current user-id of the user.
If given the
.B \-srvtab
option, the file is treated as a service key file, and the names of the
keys contained therein are printed. If no file is
specified with a
.B \-file
option, the default is
.IR /etc/kerberosIV/srvtab .
.SH FILES
.TP 2i
/etc/kerberosIV/krb.conf
to get the name of the local realm
.TP
/tmp/tkt[uid]
as the default ticket file ([uid] is the decimal UID of the user).
.TP
/etc/kerberosIV/srvtab
as the default service key file
.SH SEE ALSO
.PP
kerberos(1), kinit(1), kdestroy(1)
.SH BUGS
When reading a file as a service key file, very little sanity or error
checking is performed.
-288
View File
@@ -1,288 +0,0 @@
/*
* Copyright 1987, 1988 by the Massachusetts Institute of Technology.
* For copying and distribution information, please see the file
* <Copyright.MIT>.
*
* Lists your current Kerberos tickets.
* Written by Bill Sommerfeld, MIT Project Athena.
*
* from: klist.c,v 4.15 89/08/30 11:19:16 jtkohl Exp $
* $Id: klist.c,v 1.3 1995/07/18 16:37:59 mark Exp $
*/
#if 0
#ifndef lint
static char rcsid[] =
"$Id: klist.c,v 1.3 1995/07/18 16:37:59 mark Exp $";
#endif lint
#endif
#include <unistd.h>
#include <stdio.h>
#include <stdlib.h>
#include <strings.h>
#include <sys/file.h>
#include <krb.h>
#include <prot.h>
#include <time.h>
int ok_getst(int fd, char *s, int n);
void display_srvtab(char *file);
char *short_date(long *dp);
void usage(void);
void display_tktfile(char *file, int tgt_test, int long_form);
char *whoami; /* What was I invoked as?? */
extern char *krb_err_txt[];
/* ARGSUSED */
int
main(argc, argv)
int argc;
char **argv;
{
int long_form = 1;
int tgt_test = 0;
int do_srvtab = 0;
char *tkt_file = NULL;
char *cp;
whoami = (cp = rindex(*argv, '/')) ? cp + 1 : *argv;
while (*(++argv)) {
if (!strcmp(*argv, "-s")) {
long_form = 0;
continue;
}
if (!strcmp(*argv, "-t")) {
tgt_test = 1;
long_form = 0;
continue;
}
if (!strcmp(*argv, "-l")) { /* now default */
continue;
}
if (!strcmp(*argv, "-file")) {
if (*(++argv)) {
tkt_file = *argv;
continue;
} else
usage();
}
if (!strcmp(*argv, "-srvtab")) {
if (tkt_file == NULL) /* if no other file spec'ed,
set file to default srvtab */
tkt_file = KEYFILE;
do_srvtab = 1;
continue;
}
usage();
}
if (do_srvtab)
display_srvtab(tkt_file);
else
display_tktfile(tkt_file, tgt_test, long_form);
exit(0);
}
void
display_tktfile(file, tgt_test, long_form)
char *file;
int tgt_test, long_form;
{
char pname[ANAME_SZ];
char pinst[INST_SZ];
char prealm[REALM_SZ];
char buf1[20], buf2[20];
int k_errno;
CREDENTIALS c;
int header = 1;
if ((file == NULL) && ((file = getenv("KRBTKFILE")) == NULL))
file = TKT_FILE;
if (long_form)
printf("Ticket file: %s\n", file);
/*
* Since krb_get_tf_realm will return a ticket_file error,
* we will call tf_init and tf_close first to filter out
* things like no ticket file. Otherwise, the error that
* the user would see would be
* klist: can't find realm of ticket file: No ticket file (tf_util)
* instead of
* klist: No ticket file (tf_util)
*/
/* Open ticket file */
if ((k_errno = tf_init(file, R_TKT_FIL))) {
if (!tgt_test)
fprintf(stderr, "%s: %s\n", whoami, krb_err_txt[k_errno]);
exit(1);
}
/* Close ticket file */
(void) tf_close();
/*
* We must find the realm of the ticket file here before calling
* tf_init because since the realm of the ticket file is not
* really stored in the principal section of the file, the
* routine we use must itself call tf_init and tf_close.
*/
if ((k_errno = krb_get_tf_realm(file, prealm)) != KSUCCESS) {
if (!tgt_test)
fprintf(stderr, "%s: can't find realm of ticket file: %s\n",
whoami, krb_err_txt[k_errno]);
exit(1);
}
/* Open ticket file */
if ((k_errno = tf_init(file, R_TKT_FIL))) {
if (!tgt_test)
fprintf(stderr, "%s: %s\n", whoami, krb_err_txt[k_errno]);
exit(1);
}
/* Get principal name and instance */
if ((k_errno = tf_get_pname(pname)) ||
(k_errno = tf_get_pinst(pinst))) {
if (!tgt_test)
fprintf(stderr, "%s: %s\n", whoami, krb_err_txt[k_errno]);
exit(1);
}
/*
* You may think that this is the obvious place to get the
* realm of the ticket file, but it can't be done here as the
* routine to do this must open the ticket file. This is why
* it was done before tf_init.
*/
if (!tgt_test && long_form)
printf("Principal:\t%s%s%s%s%s\n\n", pname,
(pinst[0] ? "." : ""), pinst,
(prealm[0] ? "@" : ""), prealm);
while ((k_errno = tf_get_cred(&c)) == KSUCCESS) {
if (!tgt_test && long_form && header) {
printf("%-15s %-15s %s\n",
" Issued", " Expires", " Principal");
header = 0;
}
if (tgt_test) {
c.issue_date += ((unsigned char) c.lifetime) * 5 * 60;
if (!strcmp(c.service, TICKET_GRANTING_TICKET) &&
!strcmp(c.instance, prealm)) {
if (time(0) < c.issue_date)
exit(0); /* tgt hasn't expired */
else
exit(1); /* has expired */
}
continue; /* not a tgt */
}
if (long_form) {
(void) strcpy(buf1, short_date(&c.issue_date));
c.issue_date += ((unsigned char) c.lifetime) * 5 * 60;
(void) strcpy(buf2, short_date(&c.issue_date));
printf("%s %s ", buf1, buf2);
}
printf("%s%s%s%s%s\n",
c.service, (c.instance[0] ? "." : ""), c.instance,
(c.realm[0] ? "@" : ""), c.realm);
}
if (tgt_test)
exit(1); /* no tgt found */
if (header && long_form && k_errno == EOF) {
printf("No tickets in file.\n");
}
}
char *
short_date(dp)
long *dp;
{
register char *cp;
extern char *ctime();
cp = ctime(dp) + 4;
cp[15] = '\0';
return (cp);
}
void
usage()
{
fprintf(stderr,
"Usage: %s [ -s | -t ] [ -file filename ] [ -srvtab ]\n", whoami);
exit(1);
}
void
display_srvtab(file)
char *file;
{
int stab;
char serv[SNAME_SZ];
char inst[INST_SZ];
char rlm[REALM_SZ];
unsigned char key[8];
unsigned char vno;
int count;
printf("Server key file: %s\n", file);
if ((stab = open(file, O_RDONLY, 0400)) < 0) {
perror(file);
exit(1);
}
printf("%-15s %-15s %-10s %s\n","Service","Instance","Realm",
"Key Version");
printf("------------------------------------------------------\n");
/* argh. getst doesn't return error codes, it silently fails */
while (((count = ok_getst(stab, serv, SNAME_SZ)) > 0)
&& ((count = ok_getst(stab, inst, INST_SZ)) > 0)
&& ((count = ok_getst(stab, rlm, REALM_SZ)) > 0)) {
if (((count = read(stab,(char *) &vno,1)) != 1) ||
((count = read(stab,(char *) key,8)) != 8)) {
if (count < 0)
perror("reading from key file");
else
fprintf(stderr, "key file truncated\n");
exit(1);
}
printf("%-15s %-15s %-15s %d\n",serv,inst,rlm,vno);
}
if (count < 0)
perror(file);
(void) close(stab);
}
/* adapted from getst() in librkb */
/*
* ok_getst() takes a file descriptor, a string and a count. It reads
* from the file until either it has read "count" characters, or until
* it reads a null byte. When finished, what has been read exists in
* the given string "s". If "count" characters were actually read, the
* last is changed to a null, so the returned string is always null-
* terminated. ok_getst() returns the number of characters read, including
* the null terminator.
*
* If there is a read error, it returns -1 (like the read(2) system call)
*/
int
ok_getst(fd, s, n)
int fd;
register char *s;
int n;
{
register count = n;
int err;
while ((err = read(fd, s, 1)) > 0 && --count)
if (*s++ == '\0')
return (n - count);
if (err < 0)
return(-1);
*s = '\0';
return (n - count);
}
-11
View File
@@ -1,11 +0,0 @@
# From: @(#)Makefile 5.1 (Berkeley) 6/25/90
# $Id: Makefile,v 1.1.1.1 1995/08/03 07:36:18 mark Exp $
PROG= kprop
CFLAGS+=-I${.CURDIR}/../include -Wall
DPADD= ${LIBKRB}
LDADD= -L${KRBOBJDIR} -lkrb -ldes
BINDIR= /usr/sbin
NOMAN= noman
.include <bsd.prog.mk>
-637
View File
@@ -1,637 +0,0 @@
/*
*
* Copyright 1987 by the Massachusetts Institute of Technology.
*
* For copying and distribution information,
* please see the file <mit-copyright.h>.
*
* $Revision: 1.1.1.1 $
* $Date: 1995/08/03 07:36:18 $
* $State: Exp $
* $Source: /usr/cvs/src/eBones/kprop/kprop.c,v $
* $Author: mark $
* $Locker: $
*
* $Log: kprop.c,v $
* Revision 1.1.1.1 1995/08/03 07:36:18 mark
* Import an updated revision of the MIT kprop program for distributing
* kerberos databases to slave servers.
*
* NOTE: This method was abandoned by MIT long ago, this code is close to
* garbage, but it is slightly more secure than using rdist.
* There is no documentation available on how to use it, and
* it should -not- be built by default.
*
* Obtained from: MIT Project Athena
*
* Revision 1.1.1.1 1995/08/02 22:11:44 pst
* Import an updated revision of the MIT kprop program for distributing
* kerberos databases to slave servers.
*
* NOTE: This method was abandoned by MIT long ago, this code is close to
* garbage, but it is slightly more secure than using rdist.
* There is no documentation available on how to use it, and
* it should -not- be built by default.
*
* Obtained from: MIT Project Athena
*
* Revision 4.7 92/11/10 23:01:06 tytso
* Removed incompatible #include
*
* Revision 4.6 91/02/28 22:49:34 probe
* Fixed header file inclusion
*
* Revision 4.5 90/03/20 15:37:57 jon
* Stop kpropd port number from being bashed (static buffers)
* Programmer: jtkohl
* Auditor: jon
*
* Revision 4.4 90/01/02 13:42:40 jtkohl
* add back in accidentally deleted $ in rcsid string
*
* Revision 4.3 89/12/30 21:22:27 qjb
* Added #define MAXHOSTNAMELEN if not already defined for the benifit
* of Unixes that don't have this variable in sys/param.h.
*
* Revision 4.2 89/03/23 10:23:43 jtkohl
* fix misuse of mkstemp to use mktemp
* NOENCRYPTION changes
*
* Revision 4.1 89/01/24 20:35:17 root
* name change
*
* Revision 4.0 89/01/24 18:44:38 wesommer
* Original version; programmer: wesommer
* auditor: jon.
*
* Revision 4.4 88/01/08 18:05:21 jon
* formating changes and rcs header info
*
*
*/
#if 0
#ifndef lint
static char rcsid_kprop_c[] =
"$Id: kprop.c,v 1.1.1.1 1995/08/03 07:36:18 mark Exp $";
#endif lint
#endif
#include <unistd.h>
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/file.h>
#include <signal.h>
#include <sys/stat.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <sys/param.h>
#include <netdb.h>
#include <krb.h>
#include <des.h>
#include "kprop.h"
/* for those broken Unixes without this defined... should be in sys/param.h */
#ifndef MAXHOSTNAMELEN
#define MAXHOSTNAMELEN 64
#endif
static char kprop_version[KPROP_PROT_VERSION_LEN] = KPROP_PROT_VERSION;
int debug = 0;
char my_realm[REALM_SZ];
int princ_data_size = 3 * sizeof(long) + 3 * sizeof(unsigned char);
short transfer_mode, net_transfer_mode;
int force_flag;
static char ok[] = ".dump_ok";
extern char *krb_get_phost(char *);
struct slave_host {
u_long net_addr;
char *name;
char *instance;
char *realm;
int not_time_yet;
int succeeded;
struct slave_host *next;
};
void Death(char *s);
int get_slaves(struct slave_host **psl, char *file, time_t ok_mtime);
int prop_to_slaves(struct slave_host *sl, int fd, char *fslv);
int
main(argc, argv)
int argc;
char *argv[];
{
int fd, i;
char *floc, *floc_ok;
char *fslv;
struct stat stbuf, stbuf_ok;
long l_init, l_final;
char *pc;
int l_diff;
static struct slave_host *slave_host_list = NULL;
struct slave_host *sh;
transfer_mode = KPROP_TRANSFER_PRIVATE;
time(&l_init);
pc = ctime(&l_init);
pc[strlen(pc) - 1] = '\0';
printf("\nStart slave propagation: %s\n", pc);
floc = (char *) NULL;
fslv = (char *) NULL;
if (krb_get_lrealm(my_realm,1) != KSUCCESS)
Death ("Getting my kerberos realm. Check krb.conf");
for (i = 1; i < argc; i++)
switch (argv[i][0]) {
case '-':
if (strcmp (argv[i], "-private") == 0)
transfer_mode = KPROP_TRANSFER_PRIVATE;
#ifdef not_safe_yet
else if (strcmp (argv[i], "-safe") == 0)
transfer_mode = KPROP_TRANSFER_SAFE;
else if (strcmp (argv[i], "-clear") == 0)
transfer_mode = KPROP_TRANSFER_CLEAR;
#endif
else if (strcmp (argv[i], "-realm") == 0) {
i++;
if (i < argc)
strcpy(my_realm, argv[i]);
else
goto usage;
} else if (strcmp (argv[i], "-force") == 0)
force_flag++;
else {
fprintf (stderr, "kprop: unknown control argument %s.\n",
argv[i]);
exit (1);
}
break;
default:
/* positional arguments are marginal at best ... */
if (floc == (char *) NULL)
floc = argv[i];
else {
if (fslv == (char *) NULL)
fslv = argv[i];
else {
usage:
/* already got floc and fslv, what is this? */
fprintf(stderr,
"\nUsage: kprop [-force] [-realm realm] [-private|-safe|-clear] data_file slaves_file\n\n");
exit(1);
}
}
}
if ((floc == (char *)NULL) || (fslv == (char *)NULL))
goto usage;
if ((floc_ok = (char *) malloc(strlen(floc) + strlen(ok) + 1))
== NULL) {
Death(floc);
}
strcat(strcpy(floc_ok, floc), ok);
if ((fd = open(floc, O_RDONLY)) < 0) {
Death(floc);
}
if (flock(fd, LOCK_EX | LOCK_NB)) {
Death(floc);
}
if (stat(floc, &stbuf)) {
Death(floc);
}
if (stat(floc_ok, &stbuf_ok)) {
Death(floc_ok);
}
if (stbuf.st_mtime > stbuf_ok.st_mtime) {
fprintf(stderr, "kprop: '%s' more recent than '%s'.\n",
floc, floc_ok);
exit(1);
}
if (!get_slaves(&slave_host_list, fslv, stbuf_ok.st_mtime)) {
fprintf(stderr,
"kprop: can't read slave host file '%s'.\n", fslv);
exit(1);
}
#ifdef KPROP_DBG
{
struct slave_host *sh;
int i;
fprintf(stderr, "\n\n");
fflush(stderr);
for (sh = slave_host_list; sh; sh = sh->next) {
fprintf(stderr, "slave %d: %s, %s", i++, sh->name,
inet_ntoa(sh->net_addr));
fflush(stderr);
}
}
#endif /* KPROP_DBG */
if (!prop_to_slaves(slave_host_list, fd, fslv)) {
fprintf(stderr,
"kprop: propagation failed.\n");
exit(1);
}
if (flock(fd, LOCK_UN)) {
Death(floc);
}
fprintf(stderr, "\n\n");
for (sh = slave_host_list; sh; sh = sh->next) {
fprintf(stderr, "%s:\t\t%s\n", sh->name,
(sh->not_time_yet? "Not time yet" : (sh->succeeded ? "Succeeded" : "FAILED")));
}
time(&l_final);
l_diff = l_final - l_init;
printf("propagation finished, %d:%02d:%02d elapsed\n",
l_diff / 3600, (l_diff % 3600) / 60, l_diff % 60);
exit(0);
}
void
Death(s)
char *s;
{
fprintf(stderr, "kprop: ");
perror(s);
exit(1);
}
/* The master -> slave protocol looks like this:
1) 8 byte version string
2) 2 bytes of "transfer mode" (net byte order of course)
3) ticket/authentication send by sendauth
4) 4 bytes of "block" length (u_long)
5) data
4 and 5 repeat til EOF ...
*/
int
prop_to_slaves(sl, fd, fslv)
struct slave_host *sl;
int fd;
char *fslv;
{
char buf[KPROP_BUFSIZ];
char obuf[KPROP_BUFSIZ + 64 /* leave room for private msg overhead */ ];
struct servent *sp;
struct sockaddr_in sin, my_sin;
int i, n, s;
struct slave_host *cs; /* current slave */
char path[256], my_host_name[MAXHOSTNAMELEN], *p_my_host_name;
char kprop_service_instance[INST_SZ];
char *pc;
u_long cksum, get_data_checksum();
u_long length, nlength;
long kerror;
KTEXT_ST ticket;
CREDENTIALS cred;
MSG_DAT msg_dat;
static char tkstring[] = "/tmp/kproptktXXXXXX";
Key_schedule session_sched;
(void) mktemp(tkstring);
krb_set_tkt_string(tkstring);
if ((sp = getservbyname("krb_prop", "tcp")) == 0) {
fprintf(stderr, "tcp/krb_prop: service unknown.\n");
exit(1);
}
bzero(&sin, sizeof sin);
sin.sin_family = AF_INET;
sin.sin_port = sp->s_port;
strcpy(path, fslv);
if ((pc = rindex(path, '/'))) {
pc += 1;
} else {
pc = path;
}
for (i = 0; i < 5; i++) { /* try each slave five times max */
for (cs = sl; cs; cs = cs->next) {
if (!cs->succeeded) {
if ((s = socket(AF_INET, SOCK_STREAM, 0)) < 0) {
perror("kprop: socket");
exit(1);
}
bcopy(&cs->net_addr, &sin.sin_addr,
sizeof cs->net_addr);
if (connect(s, (struct sockaddr *) &sin, sizeof sin) < 0) {
fprintf(stderr, "%s: ", cs->name);
perror("connect");
close(s);
continue; /*** NEXT SLAVE ***/
}
/* for krb_mk_{priv, safe} */
bzero (&my_sin, sizeof my_sin);
n = sizeof my_sin;
if (getsockname (s, (struct sockaddr *) &my_sin, &n) != 0) {
fprintf (stderr, "kprop: can't get socketname.");
perror ("getsockname");
close (s);
continue; /*** NEXT SLAVE ***/
}
if (n != sizeof (my_sin)) {
fprintf (stderr, "kprop: can't get socketname. len");
close (s);
continue; /*** NEXT SLAVE ***/
}
/* Get ticket */
kerror = krb_mk_req (&ticket, KPROP_SERVICE_NAME,
cs->instance, cs->realm, (u_long) 0);
/* if ticket has expired try to get a new one, but
* first get a TGT ...
*/
if (kerror != MK_AP_OK) {
if (gethostname (my_host_name, sizeof(my_host_name)) != 0) {
fprintf (stderr, "%s:", cs->name);
perror ("getting my hostname");
close (s);
break; /* next one can't work either! */
}
/* get canonical kerberos service instance name */
p_my_host_name = krb_get_phost (my_host_name);
/* copy it to make sure gethostbyname static doesn't
* screw us. */
strcpy (kprop_service_instance, p_my_host_name);
kerror = krb_get_svc_in_tkt (KPROP_SERVICE_NAME,
#if 0
kprop_service_instance,
#else
KRB_MASTER,
#endif
my_realm,
TGT_SERVICE_NAME,
my_realm,
96,
KPROP_SRVTAB);
if (kerror != INTK_OK) {
fprintf (stderr,
"%s: %s. While getting initial ticket\n",
cs->name, krb_err_txt[kerror]);
close (s);
goto punt;
}
kerror = krb_mk_req (&ticket, KPROP_SERVICE_NAME,
cs->instance, cs->realm, (u_long) 0);
}
if (kerror != MK_AP_OK) {
fprintf (stderr, "%s: %s. Calling krb_mk_req.",
cs->name, krb_err_txt[kerror]);
close (s);
continue; /*** NEXT SLAVE ***/
}
if (write(s, kprop_version, sizeof(kprop_version))
!= sizeof(kprop_version)) {
fprintf (stderr, "%s: ", cs->name);
perror ("write (version) error");
close (s);
continue; /*** NEXT SLAVE ***/
}
net_transfer_mode = htons (transfer_mode);
if (write(s, &net_transfer_mode, sizeof(net_transfer_mode))
!= sizeof(net_transfer_mode)) {
fprintf (stderr, "%s: ", cs->name);
perror ("write (transfer_mode) error");
close (s);
continue; /*** NEXT SLAVE ***/
}
kerror = krb_get_cred (KPROP_SERVICE_NAME, cs->instance,
cs->realm, &cred);
if (kerror != KSUCCESS) {
fprintf (stderr, "%s: %s. Getting session key.",
cs->name, krb_err_txt[kerror]);
close (s);
continue; /*** NEXT SLAVE ***/
}
#ifdef NOENCRYPTION
bzero((char *)session_sched, sizeof(session_sched));
#else
if (key_sched ((C_Block *)cred.session, session_sched)) {
fprintf (stderr, "%s: can't make key schedule.",
cs->name);
close (s);
continue; /*** NEXT SLAVE ***/
}
#endif
/* SAFE (quad_cksum) and CLEAR are just not good enough */
cksum = 0;
#ifdef not_working_yet
if (transfer_mode != KPROP_TRANSFER_PRIVATE) {
cksum = get_data_checksum(fd, session_sched);
lseek(fd, 0L, 0);
}
else
#endif
{
struct stat st;
fstat (fd, &st);
cksum = st.st_size;
}
kerror = krb_sendauth(KOPT_DO_MUTUAL,
s,
&ticket,
KPROP_SERVICE_NAME,
cs->instance,
cs->realm,
cksum,
&msg_dat,
&cred,
session_sched,
&my_sin,
&sin,
KPROP_PROT_VERSION);
if (kerror != KSUCCESS) {
fprintf (stderr, "%s: %s. Calling krb_sendauth.",
cs->name, krb_err_txt[kerror]);
close (s);
continue; /*** NEXT SLAVE ***/
}
while ((n = read(fd, buf, sizeof buf))) {
if (n < 0) {
perror("input file read error");
exit(1);
}
switch (transfer_mode) {
case KPROP_TRANSFER_PRIVATE:
case KPROP_TRANSFER_SAFE:
if (transfer_mode == KPROP_TRANSFER_PRIVATE)
length = krb_mk_priv (buf, obuf, n,
session_sched, cred.session,
&my_sin, &sin);
else
length = krb_mk_safe (buf, obuf, n,
(C_Block *)cred.session,
&my_sin, &sin);
if (length == -1) {
fprintf (stderr, "%s: %s failed.",
cs->name,
(transfer_mode == KPROP_TRANSFER_PRIVATE)
? "krb_rd_priv" : "krb_rd_safe");
close (s);
continue; /*** NEXT SLAVE ***/
}
nlength = htonl(length);
if (write(s, &nlength, sizeof nlength)
!= sizeof nlength) {
fprintf (stderr, "%s: ", cs->name);
perror ("write error");
close (s);
continue; /*** NEXT SLAVE ***/
}
if (write(s, obuf, length) != length) {
fprintf(stderr, "%s: ", cs->name);
perror("write error");
close(s);
continue; /*** NEXT SLAVE ***/
}
break;
case KPROP_TRANSFER_CLEAR:
if (write(s, buf, n) != n) {
fprintf(stderr, "%s: ", cs->name);
perror("write error");
close(s);
continue; /*** NEXT SLAVE ***/
}
break;
}
}
close(s);
cs->succeeded = 1;
fprintf(stderr, "%s: success.\n", cs->name);
strcat(strcpy(pc, cs->name), "-last-prop");
close(creat(path, 0600));
}
}
}
punt:
dest_tkt();
for (cs = sl; cs; cs = cs->next) {
if (!cs->succeeded)
return (0); /* didn't get this slave */
}
return (1);
}
int
get_slaves(psl, file, ok_mtime)
struct slave_host **psl;
char *file;
time_t ok_mtime;
{
FILE *fin;
char namebuf[128], *inst;
char *pc;
struct hostent *host;
struct slave_host **th;
char path[256];
char *ppath;
struct stat stbuf;
if ((fin = fopen(file, "r")) == NULL) {
fprintf(stderr, "Can't open slave host file, '%s'.\n", file);
exit(-1);
}
strcpy(path, file);
if ((ppath = rindex(path, '/'))) {
ppath += 1;
} else {
ppath = path;
}
for (th = psl; fgets(namebuf, sizeof namebuf, fin); th = &(*th)->next) {
if ((pc = index(namebuf, '\n'))) {
*pc = '\0';
} else {
fprintf(stderr, "Host name too long (>= %d chars) in '%s'.\n",
sizeof namebuf, file);
exit(-1);
}
host = gethostbyname(namebuf);
if (host == NULL) {
fprintf(stderr, "Unknown host '%s' in '%s'.\n", namebuf, file);
exit(-1);
}
(*th) = (struct slave_host *) malloc(sizeof(struct slave_host));
if (!*th) {
fprintf(stderr, "No memory reading host list from '%s'.\n",
file);
exit(-1);
}
(*th)->name = malloc(strlen(namebuf) + 1);
if (!(*th)->name) {
fprintf(stderr, "No memory reading host list from '%s'.\n",
file);
exit(-1);
}
/* get kerberos cannonical instance name */
strcpy((*th)->name, namebuf);
inst = krb_get_phost ((*th)->name);
(*th)->instance = malloc(strlen(inst) + 1);
if (!(*th)->instance) {
fprintf(stderr, "No memory reading host list from '%s'.\n",
file);
exit(-1);
}
strcpy((*th)->instance, inst);
/* what a concept, slave servers in different realms! */
(*th)->realm = my_realm;
(*th)->net_addr = *(u_long *) host->h_addr;
(*th)->succeeded = 0;
(*th)->next = NULL;
strcat(strcpy(ppath, (*th)->name), "-last-prop");
if (!force_flag && !stat(path, &stbuf) && stbuf.st_mtime > ok_mtime) {
(*th)->not_time_yet = 1;
(*th)->succeeded = 1; /* no change since last success */
}
}
fclose(fin);
return (1);
}
#ifdef doesnt_work_yet
u_long get_data_checksum(fd, key_sched)
int fd;
Key_schedule key_sched;
{
unsigned long cksum = 0;
unsigned long cbc_cksum();
int n;
char buf[BUFSIZ];
long obuf[2];
while (n = read(fd, buf, sizeof buf)) {
if (n < 0) {
fprintf(stderr, "Input data file read error: ");
perror("read");
exit(1);
}
cksum = cbc_cksum(buf, obuf, n, key_sched, key_sched);
}
return cksum;
}
#endif
-55
View File
@@ -1,55 +0,0 @@
/*
* Copyright 1987 by the Massachusetts Institute of Technology.
*
* For copying and distribution information,
* please see the file <mit-copyright.h>.
*
* $Revision: 1.1.1.1 $
* $Date: 1995/08/03 07:36:18 $
* $State: Exp $
* $Source: /usr/cvs/src/eBones/kprop/kprop.h,v $
* $Author: mark $
* $Locker: $
*
* $Log: kprop.h,v $
* Revision 1.1.1.1 1995/08/03 07:36:18 mark
* Import an updated revision of the MIT kprop program for distributing
* kerberos databases to slave servers.
*
* NOTE: This method was abandoned by MIT long ago, this code is close to
* garbage, but it is slightly more secure than using rdist.
* There is no documentation available on how to use it, and
* it should -not- be built by default.
*
* Obtained from: MIT Project Athena
*
* Revision 1.1.1.1 1995/08/02 22:11:44 pst
* Import an updated revision of the MIT kprop program for distributing
* kerberos databases to slave servers.
*
* NOTE: This method was abandoned by MIT long ago, this code is close to
* garbage, but it is slightly more secure than using rdist.
* There is no documentation available on how to use it, and
* it should -not- be built by default.
*
* Obtained from: MIT Project Athena
*
* Revision 4.1 92/10/23 15:45:13 tytso
* Change the location of KPROP_KDBUTIL to be /kerberos/bin/kdb_util.
*
* Revision 4.0 89/01/24 18:44:46 wesommer
* Original version; programmer: wesommer
* auditor: jon
*
*/
#define KPROP_SERVICE_NAME "rcmd"
#define KPROP_SRVTAB "/etc/kerberosIV/srvtab"
#define TGT_SERVICE_NAME "krbtgt"
#define KPROP_PROT_VERSION_LEN 8
#define KPROP_PROT_VERSION "kprop01"
#define KPROP_TRANSFER_PRIVATE 1
#define KPROP_TRANSFER_SAFE 2
#define KPROP_TRANSFER_CLEAR 3
#define KPROP_BUFSIZ 32768
#define KPROP_KDB_UTIL "/usr/sbin/kdb_util"
-11
View File
@@ -1,11 +0,0 @@
# From: @(#)Makefile 5.1 (Berkeley) 6/25/90
# $Id: Makefile,v 1.1.1.1 1995/08/03 07:37:19 mark Exp $
PROG= kpropd
CFLAGS+=-I${.CURDIR}/../include -I${.CURDIR}/../kprop -Wall
DPADD= ${LIBKRB}
LDADD= -L${KRBOBJDIR} -lkrb -ldes
BINDIR= /usr/libexec
NOMAN= noman
.include <bsd.prog.mk>
-453
View File
@@ -1,453 +0,0 @@
/*
* Copyright 1987 by the Massachusetts Institute of Technology.
*
* For copying and distribution information, please see the file
* MIT.Copyright.
*
* kprop/kpropd have been abandonded by Project Athena (for good reason)
* however they still form the basis for one of the better ways for
* distributing kerberos databases. This version of kpropd has been
* adapted from the MIT distribution to work properly in a 4.4BSD
* environment.
*
* $Revision: 1.1.1.1 $ $Date: 1995/08/03 07:37:19 $ $State: Exp $
* $Source: /usr/cvs/src/eBones/kpropd/kpropd.c,v $
*
* Log: kpropd.c,v
* Revision 4.5 92/10/23 15:45:46 tytso Make it possible
* to specify the location of the kdb_util program.
*
* Revision 4.4 91/06/15 03:20:51 probe Fixed <sys/types.h> inclusion
*
* Revision 4.3 89/05/16 15:06:04 wesommer Fix operator precedence stuff.
* Programmer: John Kohl.
*
* Revision 4.2 89/03/23 10:24:00 jtkohl NOENCRYPTION changes
*
* Revision 4.1 89/01/24 20:33:48 root name change
*
* Revision 4.0 89/01/24 18:45:06 wesommer Original version; programmer:
* wesommer auditor: jon
*
* Revision 4.5 88/01/08 18:07:46 jon formatting and rcs header changes */
/*
* This program is run on slave servers, to catch updates "pushed" from the
* master kerberos server in a realm.
*/
#if 0
#ifndef lint
static char rcsid_kpropd_c[] =
"$Header: /usr/cvs/src/eBones/kpropd/kpropd.c,v 1.1.1.1 1995/08/03 07:37:19 mark Exp $";
#endif /* lint */
#endif
#include <errno.h>
#include <unistd.h>
#include <ctype.h>
#include <sys/types.h>
#include <sys/file.h>
#include <sys/socket.h>
#include <sys/stat.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <syslog.h>
#include <krb.h>
#include <krb_db.h>
#include "kprop.h"
static char kprop_version[KPROP_PROT_VERSION_LEN] = KPROP_PROT_VERSION;
int debug = 0;
int pause_int = 300; /* 5 minutes in seconds */
unsigned long get_data_checksum(int fd, Key_schedule key_sched);
void recv_auth(int in, int out, int private,
struct sockaddr_in *remote, struct sockaddr_in *local,
AUTH_DAT *ad);
static void SlowDeath(void);
void recv_clear(int in, int out);
/* leave room for private msg overhead */
static char buf[KPROP_BUFSIZ + 64];
static void
usage()
{
fprintf(stderr, "\nUsage: kpropd [-r realm] [-s srvtab] [-P kdb_util] fname\n");
exit(2);
}
void
main(argc, argv)
int argc;
char **argv;
{
struct sockaddr_in from;
struct sockaddr_in sin;
int s2, fd, n, fdlock;
int from_len;
char local_file[256];
char local_temp[256];
struct hostent *hp;
char hostname[256];
char from_str[128];
long kerror;
AUTH_DAT auth_dat;
KTEXT_ST ticket;
char my_instance[INST_SZ];
char my_realm[REALM_SZ];
char cmd[1024];
short net_transfer_mode, transfer_mode;
Key_schedule session_sched;
char version[9];
int c;
extern char *optarg;
extern int optind;
int rflag = 0;
char *srvtab = "";
char *local_db = DBM_FILE;
char *kdb_util = KPROP_KDB_UTIL;
if (argv[argc - 1][0] == 'k' && isdigit(argv[argc - 1][1])) {
argc--; /* ttys file hack */
}
while ((c = getopt(argc, argv, "r:s:d:P:")) != EOF) {
switch (c) {
case 'r':
rflag++;
strcpy(my_realm, optarg);
break;
case 's':
srvtab = optarg;
break;
case 'd':
local_db = optarg;
break;
case 'P':
kdb_util = optarg;
break;
default:
usage();
break;
}
}
if (optind != argc - 1)
usage();
openlog("kpropd", LOG_PID, LOG_AUTH);
strcpy(local_file, argv[optind]);
strcat(strcpy(local_temp, argv[optind]), ".tmp");
#ifdef STANDALONE
if ((sp = getservbyname("krb_prop", "tcp")) == NULL) {
syslog(LOG_ERR, "tcp/krb_prop: unknown service.");
SlowDeath();
}
bzero(&sin, sizeof sin);
sin.sin_port = sp->s_port;
sin.sin_family = AF_INET;
if ((s = socket(AF_INET, SOCK_STREAM, 0)) < 0) {
syslog(LOG_ERR, "socket: %m");
SlowDeath();
}
if (bind(s, (struct sockaddr *)&sin, sizeof sin) < 0) {
syslog(LOG_ERR, "bind: %m");
SlowDeath();
}
#endif /* STANDALONE */
if (!rflag) {
kerror = krb_get_lrealm(my_realm, 1);
if (kerror != KSUCCESS) {
syslog(LOG_ERR, "can't get local realm. %s",
krb_err_txt[kerror]);
SlowDeath();
}
}
if (gethostname(my_instance, sizeof(my_instance)) != 0) {
syslog(LOG_ERR, "gethostname: %m");
SlowDeath();
}
#ifdef STANDALONE
listen(s, 5);
for (;;) {
from_len = sizeof from;
if ((s2 = accept(s, (struct sockaddr *)&from, &from_len)) < 0) {
syslog(LOG_ERR, "accept: %m");
continue;
}
#else /* !STANDALONE */
s2 = 0;
from_len = sizeof from;
if (getpeername(0, (struct sockaddr *)&from, &from_len) < 0) {
syslog(LOG_ERR, "getpeername: %m");
SlowDeath();
}
#endif /* !STANDALONE */
strcpy(from_str, inet_ntoa(from.sin_addr));
if ((hp = gethostbyaddr((char *) &(from.sin_addr.s_addr),
from_len, AF_INET)) == NULL) {
strcpy(hostname, "UNKNOWN");
} else {
strcpy(hostname, hp->h_name);
}
syslog(LOG_INFO, "connection from %s, %s", hostname, from_str);
/* for krb_rd_{priv, safe} */
n = sizeof sin;
if (getsockname(s2, (struct sockaddr *)&sin, &n) != 0) {
syslog(LOG_ERR, "can't get socketname: %m");
SlowDeath();
}
if (n != sizeof(sin)) {
syslog(LOG_ERR, "can't get socketname (length)");
SlowDeath();
}
if ((fdlock = open(local_temp, O_WRONLY | O_CREAT, 0600)) < 0) {
syslog(LOG_ERR, "open: %m");
SlowDeath();
}
if (flock(fdlock, LOCK_EX | LOCK_NB)) {
syslog(LOG_ERR, "flock: %m");
SlowDeath();
}
if ((fd = creat(local_temp, 0600)) < 0) {
syslog(LOG_ERR, "creat: %m");
SlowDeath();
}
if ((n = read(s2, buf, sizeof(kprop_version)))
!= sizeof(kprop_version)) {
syslog(LOG_ERR,
"can't read protocol version (%d bytes)", n);
SlowDeath();
}
if (strncmp(buf, kprop_version, sizeof(kprop_version)) != 0) {
syslog(LOG_ERR, "unsupported version %s", buf);
SlowDeath();
}
if ((n = read(s2, &net_transfer_mode,
sizeof(net_transfer_mode)))
!= sizeof(net_transfer_mode)) {
syslog(LOG_ERR, "can't read transfer mode");
SlowDeath();
}
transfer_mode = ntohs(net_transfer_mode);
kerror = krb_recvauth(KOPT_DO_MUTUAL, s2, &ticket,
KPROP_SERVICE_NAME,
my_instance,
&from,
&sin,
&auth_dat,
srvtab,
session_sched,
version);
if (kerror != KSUCCESS) {
syslog(LOG_ERR, "%s calling getkdata",
krb_err_txt[kerror]);
SlowDeath();
}
syslog(LOG_INFO, "connection from %s.%s@%s",
auth_dat.pname, auth_dat.pinst, auth_dat.prealm);
/*
* AUTHORIZATION is done here. We might want to expand this
* to read an acl file at some point, but allowing for now
* KPROP_SERVICE_NAME.KRB_MASTER@local-realm is fine ...
*/
if ((strcmp(KPROP_SERVICE_NAME, auth_dat.pname) != 0) ||
(strcmp(KRB_MASTER, auth_dat.pinst) != 0) ||
(strcmp(my_realm, auth_dat.prealm) != 0)) {
syslog(LOG_NOTICE, "authorization denied");
SlowDeath();
}
switch (transfer_mode) {
case KPROP_TRANSFER_PRIVATE:
recv_auth(s2, fd, 1 /* private */ , &from, &sin, &auth_dat);
break;
case KPROP_TRANSFER_SAFE:
recv_auth(s2, fd, 0 /* safe */ , &from, &sin, &auth_dat);
break;
case KPROP_TRANSFER_CLEAR:
recv_clear(s2, fd);
break;
default:
syslog(LOG_ERR, "bad transfer mode %d", transfer_mode);
SlowDeath();
}
if (transfer_mode != KPROP_TRANSFER_PRIVATE) {
syslog(LOG_ERR, "non-private transfers not supported\n");
SlowDeath();
#ifdef doesnt_work_yet
lseek(fd, (long) 0, L_SET);
if (auth_dat.checksum != get_data_checksum(fd, session_sched)) {
syslog(LOG_ERR, "checksum doesn't match");
SlowDeath();
}
#endif
} else {
struct stat st;
fstat(fd, &st);
if (st.st_size != auth_dat.checksum) {
syslog(LOG_ERR, "length doesn't match");
SlowDeath();
}
}
close(fd);
close(s2);
if (rename(local_temp, local_file) < 0) {
syslog(LOG_ERR, "rename: %m");
SlowDeath();
}
if (flock(fdlock, LOCK_UN)) {
syslog(LOG_ERR, "flock (unlock): %m");
SlowDeath();
}
close(fdlock);
sprintf(cmd, "%s load %s %s\n", kdb_util, local_file, local_db);
if (system(cmd) != 0) {
syslog(LOG_ERR, "couldn't load database");
SlowDeath();
}
#ifdef STANDALONE
}
#endif
}
void
recv_auth(in, out, private, remote, local, ad)
int in, out;
int private;
struct sockaddr_in *remote, *local;
AUTH_DAT *ad;
{
u_long length;
long kerror;
int n;
MSG_DAT msg_data;
Key_schedule session_sched;
if (private)
#ifdef NOENCRYPTION
bzero((char *) session_sched, sizeof(session_sched));
#else
if (key_sched((C_Block *)ad->session, session_sched)) {
syslog(LOG_ERR, "can't make key schedule");
SlowDeath();
}
#endif
while (1) {
n = krb_net_read(in, (char *)&length, sizeof length);
if (n == 0)
break;
if (n < 0) {
syslog(LOG_ERR, "read: %m");
SlowDeath();
}
length = ntohl(length);
if (length > sizeof buf) {
syslog(LOG_ERR, "read length %d, bigger than buf %d",
length, sizeof buf);
SlowDeath();
}
n = krb_net_read(in, buf, length);
if (n < 0) {
syslog(LOG_ERR, "kpropd: read: %m");
SlowDeath();
}
if (private)
kerror = krb_rd_priv(buf, n, session_sched, ad->session,
remote, local, &msg_data);
else
kerror = krb_rd_safe(buf, n, (C_Block *)ad->session,
remote, local, &msg_data);
if (kerror != KSUCCESS) {
syslog(LOG_ERR, "%s: %s",
private ? "krb_rd_priv" : "krb_rd_safe",
krb_err_txt[kerror]);
SlowDeath();
}
if (write(out, msg_data.app_data, msg_data.app_length) !=
msg_data.app_length) {
syslog(LOG_ERR, "write: %m");
SlowDeath();
}
}
}
void
recv_clear(in, out)
int in, out;
{
int n;
while (1) {
n = read(in, buf, sizeof buf);
if (n == 0)
break;
if (n < 0) {
syslog(LOG_ERR, "read: %m");
SlowDeath();
}
if (write(out, buf, n) != n) {
syslog(LOG_ERR, "write: %m");
SlowDeath();
}
}
}
static void
SlowDeath()
{
#ifdef STANDALONE
sleep(pause_int);
#endif
exit(1);
}
#ifdef doesnt_work_yet
unsigned long
get_data_checksum(fd, key_sched)
int fd;
Key_schedule key_sched;
{
unsigned long cksum = 0;
unsigned long cbc_cksum();
int n;
char buf[BUFSIZ];
char obuf[8];
while (n = read(fd, buf, sizeof buf)) {
if (n < 0) {
syslog(LOG_ERR, "read (in checksum test): %m");
SlowDeath();
}
#ifndef NOENCRYPTION
cksum += cbc_cksum(buf, obuf, n, key_sched, key_sched);
#endif
}
return cksum;
}
#endif
-56
View File
@@ -1,56 +0,0 @@
# From: @(#)Makefile 5.1 (Berkeley) 6/25/90
# $Id: Makefile,v 1.5 1995/07/18 16:38:02 mark Exp $
LIB= krb
SHLIB_MAJOR= 2
SHLIB_MINOR= 0
CFLAGS+=-DKERBEROS -DCRYPT -DDEBUG -I${.CURDIR}/../include -DBSD42 -Wall
SRCS= krb_err.c create_auth_reply.c create_ciph.c \
create_death_packet.c create_ticket.c debug_decl.c decomp_ticket.c \
des_rw.c dest_tkt.c extract_ticket.c fgetst.c get_ad_tkt.c \
get_admhst.c get_cred.c get_in_tkt.c get_krbhst.c get_krbrlm.c \
get_phost.c get_pw_tkt.c get_request.c get_svc_in_tkt.c \
get_tf_fullname.c get_tf_realm.c getrealm.c getst.c in_tkt.c \
k_gethostname.c klog.c kname_parse.c kntoln.c kparse.c \
krb_err_txt.c krb_get_in_tkt.c kuserok.c log.c mk_err.c \
mk_priv.c mk_req.c mk_safe.c month_sname.c \
netread.c netwrite.c one.c pkt_cipher.c pkt_clen.c rd_err.c \
rd_priv.c rd_req.c rd_safe.c read_service_key.c recvauth.c \
save_credentials.c send_to_kdc.c sendauth.c stime.c tf_util.c \
tkt_string.c util.c
TDIR= ${.CURDIR}/..
krb_err.c krb_err.h: krb_err.et
test -e krb_err.et || ln -s ${.CURDIR}/krb_err.et .
${COMPILE_ET} krb_err.et
LDADD+= -lcom_err
beforeinstall:
-cd ${.OBJDIR}; cmp -s krb_err.h \
${DESTDIR}/usr/include/kerberosIV/krb_err.h || \
install -c -o ${BINOWN} -g ${BINGRP} -m 444 krb_err.h \
${DESTDIR}/usr/include/kerberosIV
MAN3= krb.3 krb_realmofhost.3 krb_sendauth.3 krb_set_tkt_string.3 \
kuserok.3 tf_util.3
MLINKS= krb.3 krb_mk_req.3 krb.3 krb_rd_req.3 krb.3 krb_kntoln.3 \
krb.3 krb_set_key.3 krb.3 krb_get_cred.3 krb.3 krb_mk_priv.3 \
krb.3 krb_rd_priv.3 krb.3 krb_mk_safe.3 krb.3 krb_rd_safe.3 \
krb.3 krb_mk_err.3 krb.3 krb_rd_err.3 krb.3 krb_ck_repl.3
MLINKS+=krb_realmofhost.3 krb_get_phost.3 krb_realmofhost.3 krb_get_krbhst.3 \
krb_realmofhost.3 krb_get_admhst.3 krb_realmofhost.3 krb_get_lrealm.3
MLINKS+=krb_realmofhost.3 realm.3
MLINKS+=krb_sendauth.3 krb_recvauth.3 krb_sendauth.3 krb_net_write.3 \
krb_sendauth.3 krb_net_read.3
MLINKS+=krb_sendauth.3 ksend.3
MLINKS+=tf_util.3 tf_init.3 tf_util.3 tf_get_pname.3 \
tf_util.3 tf_get_pinst.3 tf_util.3 tf_get_cred.3 \
tf_util.3 tf_close.3
.include <bsd.lib.mk>
-91
View File
@@ -1,91 +0,0 @@
/*
* Copyright 1985, 1986, 1987, 1988 by the Massachusetts Institute
* of Technology.
* For copying and distribution information, please see the file
* <Copyright.MIT>.
*
* from: add_ticket.c,v 4.7 88/10/07 06:06:26 shanzer Exp $
* $Id: add_ticket.c,v 1.3 1995/07/18 16:38:04 mark Exp $
*/
#if 0
#ifndef lint
static char rcsid[] =
"$Id: add_ticket.c,v 1.3 1995/07/18 16:38:04 mark Exp $";
#endif /* lint */
#endif
#include <krb.h>
#include <prot.h>
#include <strings.h>
/*
* This routine is now obsolete. It used to be possible to request
* more than one ticket at a time from the authentication server, and
* it looks like this routine was used by the server to package the
* tickets to be returned to the client.
*/
/*
* This routine adds a new ticket to the ciphertext to be returned to
* the client. The routine takes the ciphertext (which doesn't get
* encrypted till later), the number of the ticket (i.e. 1st, 2nd,
* etc) the session key which goes in the ticket and is sent back to
* the user, the lifetime for the ticket, the service name, the
* instance, the realm, the key version number, and the ticket itself.
*
* This routine returns 0 (KSUCCESS) on success, and 1 (KFAILURE) on
* failure. On failure, which occurs when there isn't enough room
* for the ticket, a 0 length ticket is added.
*
* Notes: This routine must be called with successive values of n.
* i.e. the ticket must be added in order. The corresponding routine
* on the client side is extract ticket.
*/
/* XXX they aren't all used; to avoid incompatible changes we will
* fool lint for the moment */
/*ARGSUSED */
int
add_ticket(cipher,n,session,lifetime,sname,instance,realm,kvno,ticket)
KTEXT cipher; /* Ciphertext info for ticket */
char *sname; /* Service name */
char *instance; /* Instance */
int n; /* Relative position of this ticket */
char *session; /* Session key for this tkt */
int lifetime; /* Lifetime of this ticket */
char *realm; /* Realm in which ticket is valid */
int kvno; /* Key version number of service key */
KTEXT ticket; /* The ticket itself */
{
/* Note, the 42 is a temporary hack; it will have to be changed. */
/* Begin check of ticket length */
if ((cipher->length + ticket->length + 4 + 42 +
(*(cipher->dat)+1-n)*(11+strlen(realm))) >
MAX_KTXT_LEN) {
bcopy(session,(char *)(cipher->dat+cipher->length),8);
*(cipher->dat+cipher->length+8) = (char) lifetime;
*(cipher->dat+cipher->length+9) = (char) kvno;
(void) strcpy((char *)(cipher->dat+cipher->length+10),realm);
cipher->length += 11 + strlen(realm);
*(cipher->dat+n) = 0;
return(KFAILURE);
}
/* End check of ticket length */
/* Add the session key, lifetime, kvno, ticket to the ciphertext */
bcopy(session,(char *)(cipher->dat+cipher->length),8);
*(cipher->dat+cipher->length+8) = (char) lifetime;
*(cipher->dat+cipher->length+9) = (char) kvno;
(void) strcpy((char *)(cipher->dat+cipher->length+10),realm);
cipher->length += 11 + strlen(realm);
bcopy((char *)(ticket->dat),(char *)(cipher->dat+cipher->length),
ticket->length);
cipher->length += ticket->length;
/* Set the ticket length at beginning of ciphertext */
*(cipher->dat+n) = ticket->length;
return(KSUCCESS);
}
-118
View File
@@ -1,118 +0,0 @@
/*
* Copyright 1985, 1986, 1987, 1988 by the Massachusetts Institute
* of Technology.
* For copying and distribution information, please see the file
* <Copyright.MIT>.
*
* from: create_auth_reply.c,v 4.10 89/01/13 17:47:38 steiner Exp $
* $Id: create_auth_reply.c,v 1.3 1995/07/18 16:38:06 mark Exp $
*/
#if 0
#ifndef lint
static char *rcsid =
"$Id: create_auth_reply.c,v 1.3 1995/07/18 16:38:06 mark Exp $";
#endif /* lint */
#endif
#include <krb.h>
#include <prot.h>
#include <strings.h>
/*
* This routine is called by the Kerberos authentication server
* to create a reply to an authentication request. The routine
* takes the user's name, instance, and realm, the client's
* timestamp, the number of tickets, the user's key version
* number and the ciphertext containing the tickets themselves.
* It constructs a packet and returns a pointer to it.
*
* Notes: The packet returned by this routine is static. Thus, if you
* intend to keep the result beyond the next call to this routine, you
* must copy it elsewhere.
*
* The packet is built in the following format:
*
* variable
* type or constant data
* ---- ----------- ----
*
* unsigned char KRB_PROT_VERSION protocol version number
*
* unsigned char AUTH_MSG_KDC_REPLY protocol message type
*
* [least significant HOST_BYTE_ORDER sender's (server's) byte
* bit of above field] order
*
* string pname principal's name
*
* string pinst principal's instance
*
* string prealm principal's realm
*
* unsigned long time_ws client's timestamp
*
* unsigned char n number of tickets
*
* unsigned long x_date expiration date
*
* unsigned char kvno master key version
*
* short w_1 cipher length
*
* --- cipher->dat cipher data
*/
KTEXT
create_auth_reply(pname,pinst,prealm,time_ws,n,x_date,kvno,cipher)
char *pname; /* Principal's name */
char *pinst; /* Principal's instance */
char *prealm; /* Principal's authentication domain */
long time_ws; /* Workstation time */
int n; /* Number of tickets */
unsigned long x_date; /* Principal's expiration date */
int kvno; /* Principal's key version number */
KTEXT cipher; /* Cipher text with tickets and
* session keys */
{
static KTEXT_ST pkt_st;
KTEXT pkt = &pkt_st;
unsigned char *v = pkt->dat; /* Prot vers number */
unsigned char *t = (pkt->dat+1); /* Prot message type */
short w_l; /* Cipher length */
/* Create fixed part of packet */
*v = (unsigned char) KRB_PROT_VERSION;
*t = (unsigned char) AUTH_MSG_KDC_REPLY;
*t |= HOST_BYTE_ORDER;
if (n != 0)
*v = 3;
/* Add the basic info */
(void) strcpy((char *) (pkt->dat+2), pname);
pkt->length = 3 + strlen(pname);
(void) strcpy((char *) (pkt->dat+pkt->length),pinst);
pkt->length += 1 + strlen(pinst);
(void) strcpy((char *) (pkt->dat+pkt->length),prealm);
pkt->length += 1 + strlen(prealm);
/* Workstation timestamp */
bcopy((char *) &time_ws, (char *) (pkt->dat+pkt->length), 4);
pkt->length += 4;
*(pkt->dat+(pkt->length)++) = (unsigned char) n;
/* Expiration date */
bcopy((char *) &x_date, (char *) (pkt->dat+pkt->length),4);
pkt->length += 4;
/* Now send the ciphertext and info to help decode it */
*(pkt->dat+(pkt->length)++) = (unsigned char) kvno;
w_l = (short) cipher->length;
bcopy((char *) &w_l,(char *) (pkt->dat+pkt->length),2);
pkt->length += 2;
bcopy((char *) (cipher->dat), (char *) (pkt->dat+pkt->length),
cipher->length);
pkt->length += cipher->length;
/* And return the packet */
return pkt;
}
-112
View File
@@ -1,112 +0,0 @@
/*
* Copyright 1986, 1987, 1988 by the Massachusetts Institute
* of Technology.
* For copying and distribution information, please see the file
* <Copyright.MIT>.
*
* from: create_ciph.c,v 4.8 89/05/18 21:24:26 jis Exp $
* $Id: create_ciph.c,v 1.3 1995/07/18 16:38:07 mark Exp $
*/
#if 0
#ifndef lint
static char *rcsid =
"$Id: create_ciph.c,v 1.3 1995/07/18 16:38:07 mark Exp $";
#endif /* lint */
#endif
#include <krb.h>
#include <des.h>
#include <strings.h>
/*
* This routine is used by the authentication server to create
* a packet for its client, containing a ticket for the requested
* service (given in "tkt"), and some information about the ticket,
*
* Returns KSUCCESS no matter what.
*
* The length of the cipher is stored in c->length; the format of
* c->dat is as follows:
*
* variable
* type or constant data
* ---- ----------- ----
*
*
* 8 bytes session session key for client, service
*
* string service service name
*
* string instance service instance
*
* string realm KDC realm
*
* unsigned char life ticket lifetime
*
* unsigned char kvno service key version number
*
* unsigned char tkt->length length of following ticket
*
* data tkt->dat ticket for service
*
* 4 bytes kdc_time KDC's timestamp
*
* <=7 bytes null null pad to 8 byte multiple
*
*/
int
create_ciph(c, session, service, instance, realm, life, kvno, tkt,
kdc_time, key)
KTEXT c; /* Text block to hold ciphertext */
C_Block session; /* Session key to send to user */
char *service; /* Service name on ticket */
char *instance; /* Instance name on ticket */
char *realm; /* Realm of this KDC */
unsigned long life; /* Lifetime of the ticket */
int kvno; /* Key version number for service */
KTEXT tkt; /* The ticket for the service */
unsigned long kdc_time; /* KDC time */
C_Block key; /* Key to encrypt ciphertext with */
{
char *ptr;
Key_schedule key_s;
ptr = (char *) c->dat;
bcopy((char *) session, ptr, 8);
ptr += 8;
(void) strcpy(ptr,service);
ptr += strlen(service) + 1;
(void) strcpy(ptr,instance);
ptr += strlen(instance) + 1;
(void) strcpy(ptr,realm);
ptr += strlen(realm) + 1;
*(ptr++) = (unsigned char) life;
*(ptr++) = (unsigned char) kvno;
*(ptr++) = (unsigned char) tkt->length;
bcopy((char *)(tkt->dat),ptr,tkt->length);
ptr += tkt->length;
bcopy((char *) &kdc_time,ptr,4);
ptr += 4;
/* guarantee null padded encrypted data to multiple of 8 bytes */
bzero(ptr, 7);
c->length = (((ptr - (char *) c->dat) + 7) / 8) * 8;
#ifndef NOENCRYPTION
key_sched((C_Block *)key,key_s);
pcbc_encrypt((C_Block *)c->dat,(C_Block *)c->dat,(long) c->length,key_s,
(C_Block *)key,ENCRYPT);
#endif /* NOENCRYPTION */
return(KSUCCESS);
}
-65
View File
@@ -1,65 +0,0 @@
/*
* Copyright 1985, 1986, 1987, 1988 by the Massachusetts Institute
* of Technology.
* For copying and distribution information, please see the file
* <Copyright.MIT>.
*
* from: create_death_packet.c,v 4.9 89/01/17 16:05:59 rfrench Exp $
* $Id: create_death_packet.c,v 1.3 1995/07/18 16:38:09 mark Exp $
*/
#if 0
#ifndef lint
static char *rcsid =
"$Id: create_death_packet.c,v 1.3 1995/07/18 16:38:09 mark Exp $";
#endif /* lint */
#endif
#include <krb.h>
#include <prot.h>
#include <strings.h>
/*
* This routine creates a packet to type AUTH_MSG_DIE which is sent to
* the Kerberos server to make it shut down. It is used only in the
* development environment.
*
* It takes a string "a_name" which is sent in the packet. A pointer
* to the packet is returned.
*
* The format of the killer packet is:
*
* type variable data
* or constant
* ---- ----------- ----
*
* unsigned char KRB_PROT_VERSION protocol version number
*
* unsigned char AUTH_MSG_DIE message type
*
* [least significant HOST_BYTE_ORDER byte order of sender
* bit of above field]
*
* string a_name presumably, name of
* principal sending killer
* packet
*/
#ifdef DEBUG
KTEXT
krb_create_death_packet(a_name)
char *a_name;
{
static KTEXT_ST pkt_st;
KTEXT pkt = &pkt_st;
unsigned char *v = pkt->dat;
unsigned char *t = (pkt->dat+1);
*v = (unsigned char) KRB_PROT_VERSION;
*t = (unsigned char) AUTH_MSG_DIE;
*t |= HOST_BYTE_ORDER;
(void) strcpy((char *) (pkt->dat+2),a_name);
pkt->length = 3 + strlen(a_name);
return pkt;
}
#endif /* DEBUG */
-132
View File
@@ -1,132 +0,0 @@
/*
* Copyright 1985, 1986, 1987, 1988 by the Massachusetts Institute
* of Technology.
* For copying and distribution information, please see the file
* <Copyright.MIT>.
*
* from: create_ticket.c,v 4.11 89/03/22 14:43:23 jtkohl Exp $
* $Id: create_ticket.c,v 1.3 1995/07/18 16:38:12 mark Exp $
*/
#if 0
#ifndef lint
static char rcsid[] =
"$Id: create_ticket.c,v 1.3 1995/07/18 16:38:12 mark Exp $";
#endif /* lint */
#endif
#include <stdio.h>
#include <des.h>
#include <krb.h>
#include <prot.h>
#include <strings.h>
/*
* Create ticket takes as arguments information that should be in a
* ticket, and the KTEXT object in which the ticket should be
* constructed. It then constructs a ticket and returns, leaving the
* newly created ticket in tkt.
* The length of the ticket is a multiple of
* eight bytes and is in tkt->length.
*
* If the ticket is too long, the ticket will contain nulls.
* The return value of the routine is undefined.
*
* The corresponding routine to extract information from a ticket it
* decomp_ticket. When changes are made to this routine, the
* corresponding changes should also be made to that file.
*
* The packet is built in the following format:
*
* variable
* type or constant data
* ---- ----------- ----
*
* tkt->length length of ticket (multiple of 8 bytes)
*
* tkt->dat:
*
* unsigned char flags namely, HOST_BYTE_ORDER
*
* string pname client's name
*
* string pinstance client's instance
*
* string prealm client's realm
*
* 4 bytes paddress client's address
*
* 8 bytes session session key
*
* 1 byte life ticket lifetime
*
* 4 bytes time_sec KDC timestamp
*
* string sname service's name
*
* string sinstance service's instance
*
* <=7 bytes null null pad to 8 byte multiple
*
*/
int krb_create_ticket(tkt, flags, pname, pinstance, prealm, paddress,
session, life, time_sec, sname, sinstance, key)
KTEXT tkt; /* Gets filled in by the ticket */
unsigned char flags; /* Various Kerberos flags */
char *pname; /* Principal's name */
char *pinstance; /* Principal's instance */
char *prealm; /* Principal's authentication domain */
long paddress; /* Net address of requesting entity */
char *session; /* Session key inserted in ticket */
short life; /* Lifetime of the ticket */
long time_sec; /* Issue time and date */
char *sname; /* Service Name */
char *sinstance; /* Instance Name */
C_Block key; /* Service's secret key */
{
Key_schedule key_s;
register char *data; /* running index into ticket */
tkt->length = 0; /* Clear previous data */
flags |= HOST_BYTE_ORDER; /* ticket byte order */
bcopy((char *) &flags,(char *) (tkt->dat),sizeof(flags));
data = ((char *)tkt->dat) + sizeof(flags);
(void) strcpy(data, pname);
data += 1 + strlen(pname);
(void) strcpy(data, pinstance);
data += 1 + strlen(pinstance);
(void) strcpy(data, prealm);
data += 1 + strlen(prealm);
bcopy((char *) &paddress, data, 4);
data += 4;
bcopy((char *) session, data, 8);
data += 8;
*(data++) = (char) life;
/* issue time */
bcopy((char *) &time_sec, data, 4);
data += 4;
(void) strcpy(data, sname);
data += 1 + strlen(sname);
(void) strcpy(data, sinstance);
data += 1 + strlen(sinstance);
/* guarantee null padded ticket to multiple of 8 bytes */
bzero(data, 7);
tkt->length = ((data - ((char *)tkt->dat) + 7)/8)*8;
/* Check length of ticket */
if (tkt->length > (sizeof(KTEXT_ST) - 7)) {
bzero(tkt->dat, tkt->length);
tkt->length = 0;
return KFAILURE /* XXX */;
}
#ifndef NOENCRYPTION
key_sched((C_Block *)key,key_s);
pcbc_encrypt((C_Block *)tkt->dat,(C_Block *)tkt->dat,(long)tkt->length,
key_s,(C_Block *)key,ENCRYPT);
#endif
return 0;
}
-20
View File
@@ -1,20 +0,0 @@
/*
* Copyright 1988 by the Massachusetts Institute of Technology.
* For copying and distribution information, please see the file
* <Copyright.MIT>.
*
* from: debug_decl.c,v 4.5 88/10/07 06:07:49 shanzer Exp $
* $Id: debug_decl.c,v 1.3 1995/07/18 16:38:14 mark Exp $
*/
#if 0
#ifndef lint
static char rcsid[] =
"$Id: debug_decl.c,v 1.3 1995/07/18 16:38:14 mark Exp $";
#endif lint
#endif
/* Declare global debugging variables. */
int krb_ap_req_debug = 0;
int krb_debug = 0;
-126
View File
@@ -1,126 +0,0 @@
/*
* Copyright 1985, 1986, 1987, 1988 by the Massachusetts Institute
* of Technology.
* For copying and distribution information, please see the file
* <Copyright.MIT>.
*
* from: decomp_ticket.c,v 4.12 89/05/16 18:44:46 jtkohl Exp $
* $Id: decomp_ticket.c,v 1.3 1995/07/18 16:38:15 mark Exp $
*/
#if 0
#ifndef lint
static char *rcsid =
"$Id: decomp_ticket.c,v 1.3 1995/07/18 16:38:15 mark Exp $";
#endif /* lint */
#endif
#include <stdio.h>
#include <des.h>
#include <krb.h>
#include <prot.h>
#include <strings.h>
/*
* This routine takes a ticket and pointers to the variables that
* should be filled in based on the information in the ticket. It
* fills in values for its arguments.
*
* Note: if the client realm field in the ticket is the null string,
* then the "prealm" variable is filled in with the local realm (as
* defined by KRB_REALM).
*
* If the ticket byte order is different than the host's byte order
* (as indicated by the byte order bit of the "flags" field), then
* the KDC timestamp "time_sec" is byte-swapped. The other fields
* potentially affected by byte order, "paddress" and "session" are
* not byte-swapped.
*
* The routine returns KFAILURE if any of the "pname", "pinstance",
* or "prealm" fields is too big, otherwise it returns KSUCCESS.
*
* The corresponding routine to generate tickets is create_ticket.
* When changes are made to this routine, the corresponding changes
* should also be made to that file.
*
* See create_ticket.c for the format of the ticket packet.
*/
int
decomp_ticket(tkt, flags, pname, pinstance, prealm, paddress, session,
life, time_sec, sname, sinstance, key, key_s)
KTEXT tkt; /* The ticket to be decoded */
unsigned char *flags; /* Kerberos ticket flags */
char *pname; /* Authentication name */
char *pinstance; /* Principal's instance */
char *prealm; /* Principal's authentication domain */
unsigned long *paddress; /* Net address of entity
* requesting ticket */
C_Block session; /* Session key inserted in ticket */
int *life; /* Lifetime of the ticket */
unsigned long *time_sec; /* Issue time and date */
char *sname; /* Service name */
char *sinstance; /* Service instance */
C_Block key; /* Service's secret key
* (to decrypt the ticket) */
Key_schedule key_s; /* The precomputed key schedule */
{
static int tkt_swap_bytes;
unsigned char *uptr;
char *ptr = (char *)tkt->dat;
#ifndef NOENCRYPTION
pcbc_encrypt((C_Block *)tkt->dat,(C_Block *)tkt->dat,(long)tkt->length,
key_s,(C_Block *)key,DECRYPT);
#endif /* ! NOENCRYPTION */
*flags = *ptr; /* get flags byte */
ptr += sizeof(*flags);
tkt_swap_bytes = 0;
if (HOST_BYTE_ORDER != ((*flags >> K_FLAG_ORDER)& 1))
tkt_swap_bytes++;
if (strlen(ptr) > ANAME_SZ)
return(KFAILURE);
(void) strcpy(pname,ptr); /* pname */
ptr += strlen(pname) + 1;
if (strlen(ptr) > INST_SZ)
return(KFAILURE);
(void) strcpy(pinstance,ptr); /* instance */
ptr += strlen(pinstance) + 1;
if (strlen(ptr) > REALM_SZ)
return(KFAILURE);
(void) strcpy(prealm,ptr); /* realm */
ptr += strlen(prealm) + 1;
/* temporary hack until realms are dealt with properly */
if (*prealm == 0)
(void) strcpy(prealm,KRB_REALM);
bcopy(ptr,(char *)paddress,4); /* net address */
ptr += 4;
bcopy(ptr,(char *)session,8); /* session key */
ptr+= 8;
#ifdef notdef /* DONT SWAP SESSION KEY spm 10/22/86 */
if (tkt_swap_bytes)
swap_C_Block(session);
#endif
/* get lifetime, being certain we don't get negative lifetimes */
uptr = (unsigned char *) ptr++;
*life = (int) *uptr;
bcopy(ptr,(char *) time_sec,4); /* issue time */
ptr += 4;
if (tkt_swap_bytes)
swap_u_long(*time_sec);
(void) strcpy(sname,ptr); /* service name */
ptr += 1 + strlen(sname);
(void) strcpy(sinstance,ptr); /* instance */
ptr += 1 + strlen(sinstance);
return(KSUCCESS);
}
-262
View File
@@ -1,262 +0,0 @@
/*
* Copyright (c) 1994 Geoffrey M. Rehmet, Rhodes University
* All rights reserved.
*
* This code is derived from a specification based on software
* which forms part of the 4.4BSD-Lite distribution, which was developed
* by the University of California and its contributors.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the entire comment,
* including the above copyright notice, this list of conditions
* and the following disclaimer, verbatim, at the beginning of
* the source file.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. All advertising materials mentioning features or use of this software
* must display the following acknowledgement:
* This product includes software developed by Geoffrey M. Rehmet
* 4. Neither the name of Geoffrey M. Rehmet nor that of Rhodes University
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
* WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
* IN NO EVENT SHALL GEOFFREY M. REHMET OR RHODES UNIVERSITY BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* $Id: des_rw.c,v 1.6 1995/07/18 16:38:17 mark Exp $
*/
/*
*
* NB: THESE ROUTINES WILL FAIL IF NON-BLOCKING I/O IS USED.
*
*/
/*
* Routines for reading and writing DES encrypted messages onto sockets.
* (These routines will fail if non-blocking I/O is used.)
*
* When a message is written, its length is first transmitted as an int,
* in network byte order. The encrypted message is then transmitted,
* to a multiple of 8 bytes. Messages shorter than 8 bytes are right
* justified into a buffer of length 8 bytes, and the remainder of the
* buffer is filled with random garbage (before encryption):
*
* DDD -------->--+--------+
* | |
* +--+--+--+--+--+--+--+--+
* |x |x |x |x |x |D |D |D |
* +--+--+--+--+--+--+--+--+
* | garbage | data |
* | |
* +-----------------------+----> des_pcbc_encrypt() -->
*
* (Note that the length field sent before the actual message specifies
* the number of data bytes, not the length of the entire padded message.
*
* When data is read, if the message received is longer than the number
* of bytes requested, then the remaining bytes are stored until the
* following call to des_read(). If the number of bytes received is
* less then the number of bytes received, then only the number of bytes
* actually received is returned.
*
* This interface corresponds with the original des_rw.c, except for the
* bugs in des_read() in the original 4.4BSD version. (One bug is
* normally not visible, due to undocumented behaviour of
* des_pcbc_encrypt() in the original MIT libdes.)
*
* XXX Todo:
* 1) Give better error returns on writes
* 2) Improve error checking on reads
* 3) Get rid of need for extern decl. of krb_net_read()
* 4) Tidy garbage generation a bit
* 5) Make the above comment more readable
*/
#ifdef CRYPT
#ifdef KERBEROS
#ifndef BUFFER_LEN
#define BUFFER_LEN 10240
#endif
#include <stdlib.h>
#include <string.h>
#include <time.h>
#include <unistd.h>
#include <sys/param.h>
#include <sys/types.h>
#include <des.h>
#include <krb.h>
static des_cblock des_key;
static des_key_schedule key_schedule;
/*
* Buffer for storing extra data when more data is received, then was
* actually requested in des_read().
*/
static u_char des_buff[BUFFER_LEN];
static u_char buffer[BUFFER_LEN];
static unsigned stored = 0;
static u_char *buff_ptr = buffer;
/*
* Set the encryption key for des_read() and des_write().
* inkey is the initial vector for the DES encryption, while insched is
* the DES key, in unwrapped form.
*/
int
des_set_key(inkey, insched)
des_cblock *inkey;
des_key_schedule insched;
{
bcopy(inkey, des_key, sizeof(des_cblock));
bcopy(insched, &key_schedule, sizeof(des_key_schedule));
return 0;
}
/*
* Clear the key schedule, and initial vector, which were previously
* stored in static vars by des_set_key().
*/
void des_clear_key()
{
bzero(&des_key, sizeof(des_cblock));
bzero(&key_schedule, sizeof(des_key_schedule));
}
int
des_read(fd, buf, len)
int fd;
register char * buf;
int len;
{
int msg_length; /* length of actual message data */
int pad_length; /* length of padded message */
int nread; /* number of bytes actually read */
int nreturned = 0;
if(stored >= len) {
bcopy(buff_ptr, buf, len);
stored -= len;
buff_ptr += len;
return(len);
} else {
if (stored) {
bcopy(buff_ptr, buf, stored);
nreturned = stored;
len -= stored;
stored = 0;
buff_ptr = buffer;
} else {
nreturned = 0;
buff_ptr = buffer;
}
}
nread = krb_net_read(fd, (char *)&msg_length, sizeof(msg_length));
if(nread != (int)(sizeof(msg_length)))
return(0);
msg_length = ntohl(msg_length);
pad_length = roundup(msg_length, 8);
nread = krb_net_read(fd, des_buff, pad_length);
if(nread != pad_length)
return(0);
des_pcbc_encrypt((des_cblock*) des_buff, (des_cblock*) buff_ptr,
(msg_length < 8 ? 8 : msg_length),
key_schedule, (des_cblock*) &des_key, DES_DECRYPT);
if(msg_length < 8)
buff_ptr += (8 - msg_length);
stored = msg_length;
if(stored >= len) {
bcopy(buff_ptr, buf, len);
stored -= len;
buff_ptr += len;
nreturned += len;
} else {
bcopy(buff_ptr, buf, stored);
nreturned += stored;
stored = 0;
}
return(nreturned);
}
/*
* Write a message onto a file descriptor (generally a socket), using
* DES to encrypt the message.
*/
int
des_write(fd, buf, len)
int fd;
char * buf;
int len;
{
static int seeded = 0;
char garbage[8];
long rnd;
int pad_len;
int write_len;
int i;
char *data;
if(len < 8) {
/*
* Right justify the message in 8 bytes of random garbage.
*/
if(!seeded) {
seeded = 1;
srandom((unsigned)time(NULL));
}
for(i = 0 ; i < 8 ; i+= sizeof(long)) {
rnd = random();
bcopy(&rnd, garbage+i,
(i <= (8 - sizeof(long)))?sizeof(long):(8-i));
}
bcopy(buf, garbage + 8 - len, len);
data = garbage;
pad_len = 8;
} else {
data = buf;
pad_len = roundup(len, 8);
}
des_pcbc_encrypt((des_cblock*) data, (des_cblock*) des_buff,
(len < 8)?8:len, key_schedule, (des_cblock*) &des_key, DES_ENCRYPT);
write_len = htonl(len);
if(write(fd, &write_len, sizeof(write_len)) != sizeof(write_len))
return(-1);
if(write(fd, des_buff, pad_len) != pad_len)
return(-1);
return(len);
}
#endif /* KERBEROS */
#endif /* CRYPT */
-92
View File
@@ -1,92 +0,0 @@
/*
* Copyright 1985, 1986, 1987, 1988 by the Massachusetts Institute
* of Technology.
* For copying and distribution information, please see the file
* <Copyright.MIT>.
*
* from: dest_tkt.c,v 4.9 89/10/02 16:23:07 jtkohl Exp $
* $Id: dest_tkt.c,v 1.3 1995/07/18 16:38:19 mark Exp $
*/
#if 0
#ifndef lint
static char *rcsid =
"$Id: dest_tkt.c,v 1.3 1995/07/18 16:38:19 mark Exp $";
#endif /* lint */
#endif
#include <unistd.h>
#include <stdio.h>
#include <string.h>
#include <krb.h>
#include <sys/file.h>
#include <sys/types.h>
#include <sys/stat.h>
#ifdef TKT_SHMEM
#include <sys/param.h>
#endif
#include <errno.h>
/*
* dest_tkt() is used to destroy the ticket store upon logout.
* If the ticket file does not exist, dest_tkt() returns RET_TKFIL.
* Otherwise the function returns RET_OK on success, KFAILURE on
* failure.
*
* The ticket file (TKT_FILE) is defined in "krb.h".
*/
int
dest_tkt()
{
char *file = TKT_FILE;
int i,fd;
extern int errno;
struct stat statb;
char buf[BUFSIZ];
#ifdef TKT_SHMEM
char shmidname[MAXPATHLEN];
#endif /* TKT_SHMEM */
errno = 0;
if (lstat(file,&statb) < 0)
goto out;
if (!(statb.st_mode & S_IFREG)
#ifdef notdef
|| statb.st_mode & 077
#endif
)
goto out;
if ((fd = open(file, O_RDWR, 0)) < 0)
goto out;
bzero(buf, BUFSIZ);
for (i = 0; i < statb.st_size; i += BUFSIZ)
if (write(fd, buf, BUFSIZ) != BUFSIZ) {
(void) fsync(fd);
(void) close(fd);
goto out;
}
(void) fsync(fd);
(void) close(fd);
(void) unlink(file);
out:
if (errno == ENOENT) return RET_TKFIL;
else if (errno != 0) return KFAILURE;
#ifdef TKT_SHMEM
/*
* handle the shared memory case
*/
(void) strcpy(shmidname, file);
(void) strcat(shmidname, ".shm");
if ((i = krb_shm_dest(shmidname)) != KSUCCESS)
return(i);
#endif /* TKT_SHMEM */
return(KSUCCESS);
}
-61
View File
@@ -1,61 +0,0 @@
/*
* Copyright 1985, 1986, 1987, 1988 by the Massachusetts Institute
* of Technology.
* For copying and distribution information, please see the file
* <Copyright.MIT>.
*
* from: extract_ticket.c,v 4.6 88/10/07 06:08:15 shanzer Exp $
* $Id: extract_ticket.c,v 1.3 1995/07/18 16:38:21 mark Exp $
*/
#if 0
#ifndef lint
static char *rcsid =
"$Id: extract_ticket.c,v 1.3 1995/07/18 16:38:21 mark Exp $";
#endif /* lint */
#endif
#include <krb.h>
#include <prot.h>
#include <strings.h>
/*
* This routine is obsolete.
*
* This routine accepts the ciphertext returned by kerberos and
* extracts the nth ticket. It also fills in the variables passed as
* session, liftime and kvno.
*/
void
extract_ticket(cipher,n,session,lifetime,kvno,realm,ticket)
KTEXT cipher; /* The ciphertext */
int n; /* Which ticket */
char *session; /* The session key for this tkt */
int *lifetime; /* The life of this ticket */
int *kvno; /* The kvno for the service */
char *realm; /* Realm in which tkt issued */
KTEXT ticket; /* The ticket itself */
{
char *ptr;
int i;
/* Start after the ticket lengths */
ptr = (char *) cipher->dat;
ptr = ptr + 1 + (int) *(cipher->dat);
/* Step through earlier tickets */
for (i = 1; i < n; i++)
ptr = ptr + 11 + strlen(ptr+10) + (int) *(cipher->dat+i);
bcopy(ptr, (char *) session, 8); /* Save the session key */
ptr += 8;
*lifetime = *(ptr++); /* Save the life of the ticket */
*kvno = *(ptr++); /* Save the kvno */
(void) strcpy(realm,ptr); /* instance */
ptr += strlen(realm) + 1;
/* Save the ticket if its length is non zero */
ticket->length = *(cipher->dat+n);
if (ticket->length)
bcopy(ptr, (char *) (ticket->dat), ticket->length);
}
-42
View File
@@ -1,42 +0,0 @@
/*
* Copyright 1987, 1988 by the Massachusetts Institute of Technology.
* For copying and distribution information, please see the file
* <Copyright.MIT>.
*
* from: fgetst.c,v 4.0 89/01/23 10:08:31 jtkohl Exp $
* $Id: fgetst.c,v 1.3 1995/07/18 16:38:23 mark Exp $
*/
#if 0
#ifndef lint
static char rcsid[] =
"$Id: fgetst.c,v 1.3 1995/07/18 16:38:23 mark Exp $";
#endif /* lint */
#endif
#include <stdio.h>
/*
* fgetst takes a file descriptor, a character pointer, and a count.
* It reads from the file it has either read "count" characters, or
* until it reads a null byte. When finished, what has been read exists
* in "s". If "count" characters were actually read, the last is changed
* to a null, so the returned string is always null-terminated. fgetst
* returns the number of characters read, including the null terminator.
*/
int
fgetst(f, s, n)
FILE *f;
register char *s;
int n;
{
register int count = n;
int ch; /* NOT char; otherwise you don't see EOF */
while ((ch = getc(f)) != EOF && ch && --count) {
*s++ = ch;
}
*s = '\0';
return (n - count);
}
-237
View File
@@ -1,237 +0,0 @@
/*
* Copyright 1986, 1987, 1988 by the Massachusetts Institute
* of Technology.
* For copying and distribution information, please see the file
* <Copyright.MIT>.
*
* from: get_ad_tkt.c,v 4.15 89/07/07 15:18:51 jtkohl Exp $
* $Id: get_ad_tkt.c,v 1.3 1995/07/18 16:38:25 mark Exp $
*/
#if 0
#ifndef lint
static char rcsid[] =
"$Id: get_ad_tkt.c,v 1.3 1995/07/18 16:38:25 mark Exp $";
#endif /* lint */
#endif
#include <krb.h>
#include <des.h>
#include <prot.h>
#include <strings.h>
#include <stdio.h>
#include <errno.h>
/* use the bsd time.h struct defs for PC too! */
#include <sys/time.h>
#include <sys/types.h>
extern int krb_debug;
struct timeval tt_local = { 0, 0 };
int swap_bytes;
unsigned long rep_err_code;
/*
* get_ad_tkt obtains a new service ticket from Kerberos, using
* the ticket-granting ticket which must be in the ticket file.
* It is typically called by krb_mk_req() when the client side
* of an application is creating authentication information to be
* sent to the server side.
*
* get_ad_tkt takes four arguments: three pointers to strings which
* contain the name, instance, and realm of the service for which the
* ticket is to be obtained; and an integer indicating the desired
* lifetime of the ticket.
*
* It returns an error status if the ticket couldn't be obtained,
* or AD_OK if all went well. The ticket is stored in the ticket
* cache.
*
* The request sent to the Kerberos ticket-granting service looks
* like this:
*
* pkt->dat
*
* TEXT original contents of authenticator+ticket
* pkt->dat built in krb_mk_req call
*
* 4 bytes time_ws always 0 (?)
* char lifetime lifetime argument passed
* string service service name argument
* string sinstance service instance arg.
*
* See "prot.h" for the reply packet layout and definitions of the
* extraction macros like pkt_version(), pkt_msg_type(), etc.
*/
int
get_ad_tkt(service,sinstance,realm,lifetime)
char *service;
char *sinstance;
char *realm;
int lifetime;
{
static KTEXT_ST pkt_st;
KTEXT pkt = & pkt_st; /* Packet to KDC */
static KTEXT_ST rpkt_st;
KTEXT rpkt = &rpkt_st; /* Returned packet */
static KTEXT_ST cip_st;
KTEXT cip = &cip_st; /* Returned Ciphertext */
static KTEXT_ST tkt_st;
KTEXT tkt = &tkt_st; /* Current ticket */
C_Block ses; /* Session key for tkt */
CREDENTIALS cr;
int kvno; /* Kvno for session key */
char lrealm[REALM_SZ];
C_Block key; /* Key for decrypting cipher */
Key_schedule key_s;
long time_ws = 0;
char s_name[SNAME_SZ];
char s_instance[INST_SZ];
int msg_byte_order;
int kerror;
char rlm[REALM_SZ];
char *ptr;
unsigned long kdc_time; /* KDC time */
if ((kerror = krb_get_tf_realm(TKT_FILE, lrealm)) != KSUCCESS)
return(kerror);
/* Create skeleton of packet to be sent */
(void) gettimeofday(&tt_local,(struct timezone *) 0);
pkt->length = 0;
/*
* Look for the session key (and other stuff we don't need)
* in the ticket file for krbtgt.realm@lrealm where "realm"
* is the service's realm (passed in "realm" argument) and
* lrealm is the realm of our initial ticket. If we don't
* have this, we will try to get it.
*/
if ((kerror = krb_get_cred("krbtgt",realm,lrealm,&cr)) != KSUCCESS) {
/*
* If realm == lrealm, we have no hope, so let's not even try.
*/
if ((strncmp(realm, lrealm, REALM_SZ)) == 0)
return(AD_NOTGT);
else{
if ((kerror =
get_ad_tkt("krbtgt",realm,lrealm,lifetime)) != KSUCCESS)
return(kerror);
if ((kerror = krb_get_cred("krbtgt",realm,lrealm,&cr)) != KSUCCESS)
return(kerror);
}
}
/*
* Make up a request packet to the "krbtgt.realm@lrealm".
* Start by calling krb_mk_req() which puts ticket+authenticator
* into "pkt". Then tack other stuff on the end.
*/
kerror = krb_mk_req(pkt,"krbtgt",realm,lrealm,0L);
if (kerror)
return(AD_NOTGT);
/* timestamp */
bcopy((char *) &time_ws,(char *) (pkt->dat+pkt->length),4);
pkt->length += 4;
*(pkt->dat+(pkt->length)++) = (char) lifetime;
(void) strcpy((char *) (pkt->dat+pkt->length),service);
pkt->length += 1 + strlen(service);
(void) strcpy((char *)(pkt->dat+pkt->length),sinstance);
pkt->length += 1 + strlen(sinstance);
rpkt->length = 0;
/* Send the request to the local ticket-granting server */
if ((kerror = send_to_kdc(pkt, rpkt, realm))) return(kerror);
/* check packet version of the returned packet */
if (pkt_version(rpkt) != KRB_PROT_VERSION )
return(INTK_PROT);
/* Check byte order */
msg_byte_order = pkt_msg_type(rpkt) & 1;
swap_bytes = 0;
if (msg_byte_order != HOST_BYTE_ORDER)
swap_bytes++;
switch (pkt_msg_type(rpkt) & ~1) {
case AUTH_MSG_KDC_REPLY:
break;
case AUTH_MSG_ERR_REPLY:
bcopy(pkt_err_code(rpkt), (char *) &rep_err_code, 4);
if (swap_bytes)
swap_u_long(rep_err_code);
return(rep_err_code);
default:
return(INTK_PROT);
}
/* Extract the ciphertext */
cip->length = pkt_clen(rpkt); /* let clen do the swap */
bcopy((char *) pkt_cipher(rpkt),(char *) (cip->dat),cip->length);
#ifndef NOENCRYPTION
key_sched((C_Block *)cr.session,key_s);
pcbc_encrypt((C_Block *)cip->dat,(C_Block *)cip->dat,(long)cip->length,
key_s,(C_Block *)cr.session,DECRYPT);
#endif
/* Get rid of all traces of key */
bzero((char *) cr.session, sizeof(key));
bzero((char *) key_s, sizeof(key_s));
ptr = (char *) cip->dat;
bcopy(ptr,(char *)ses,8);
ptr += 8;
(void) strcpy(s_name,ptr);
ptr += strlen(s_name) + 1;
(void) strcpy(s_instance,ptr);
ptr += strlen(s_instance) + 1;
(void) strcpy(rlm,ptr);
ptr += strlen(rlm) + 1;
lifetime = (unsigned long) ptr[0];
kvno = (unsigned long) ptr[1];
tkt->length = (int) ptr[2];
ptr += 3;
bcopy(ptr,(char *)(tkt->dat),tkt->length);
ptr += tkt->length;
if (strcmp(s_name, service) || strcmp(s_instance, sinstance) ||
strcmp(rlm, realm)) /* not what we asked for */
return(INTK_ERR); /* we need a better code here XXX */
/* check KDC time stamp */
bcopy(ptr,(char *)&kdc_time,4); /* Time (coarse) */
if (swap_bytes) swap_u_long(kdc_time);
ptr += 4;
(void) gettimeofday(&tt_local,(struct timezone *) 0);
if (abs((int)(tt_local.tv_sec - kdc_time)) > CLOCK_SKEW) {
return(RD_AP_TIME); /* XXX should probably be better
code */
}
if ((kerror = save_credentials(s_name,s_instance,rlm,ses,lifetime,
kvno,tkt,tt_local.tv_sec)))
return(kerror);
return(AD_OK);
}
-82
View File
@@ -1,82 +0,0 @@
/*
* Copyright 1985, 1986, 1987, 1988 by the Massachusetts Institute
* of Technology.
* For copying and distribution information, please see the file
* <Copyright.MIT>.
*
* from: get_admhst.c,v 4.0 89/01/23 10:08:55 jtkohl Exp $
* $Id: get_admhst.c,v 1.3 1995/07/18 16:38:27 mark Exp $
*/
#if 0
#ifndef lint
static char *rcsid =
"$Id: get_admhst.c,v 1.3 1995/07/18 16:38:27 mark Exp $";
#endif /* lint */
#endif
#include <stdio.h>
#include <krb.h>
#include <string.h>
/*
* Given a Kerberos realm, find a host on which the Kerberos database
* administration server can be found.
*
* krb_get_admhst takes a pointer to be filled in, a pointer to the name
* of the realm for which a server is desired, and an integer n, and
* returns (in h) the nth administrative host entry from the configuration
* file (KRB_CONF, defined in "krb.h") associated with the specified realm.
*
* On error, get_admhst returns KFAILURE. If all goes well, the routine
* returns KSUCCESS.
*
* For the format of the KRB_CONF file, see comments describing the routine
* krb_get_krbhst().
*
* This is a temporary hack to allow us to find the nearest system running
* a Kerberos admin server. In the long run, this functionality will be
* provided by a nameserver.
*/
int
krb_get_admhst(h, r, n)
char *h;
char *r;
int n;
{
FILE *cnffile;
char tr[REALM_SZ];
char linebuf[BUFSIZ];
char scratch[64];
register int i;
if ((cnffile = fopen(KRB_CONF,"r")) == NULL) {
return(KFAILURE);
}
if (fgets(linebuf, BUFSIZ, cnffile) == NULL) {
/* error reading */
(void) fclose(cnffile);
return(KFAILURE);
}
if (!index(linebuf, '\n')) {
/* didn't all fit into buffer, punt */
(void) fclose(cnffile);
return(KFAILURE);
}
for (i = 0; i < n; ) {
/* run through the file, looking for admin host */
if (fgets(linebuf, BUFSIZ, cnffile) == NULL) {
(void) fclose(cnffile);
return(KFAILURE);
}
/* need to scan for a token after 'admin' to make sure that
admin matched correctly */
if (sscanf(linebuf, "%s %s admin %s", tr, h, scratch) != 3)
continue;
if (!strcmp(tr,r))
i++;
}
(void) fclose(cnffile);
return(KSUCCESS);
}
-63
View File
@@ -1,63 +0,0 @@
/*
* Copyright 1985, 1986, 1987, 1988 by the Massachusetts Institute
* of Technology.
* For copying and distribution information, please see the file
* <Copyright.MIT>.
*
* from: get_cred.c,v 4.10 89/05/31 17:46:22 jtkohl Exp $
* $Id: get_cred.c,v 1.3 1995/07/18 16:38:28 mark Exp $
*/
#if 0
#ifndef lint
static char *rcsid =
"$Id: get_cred.c,v 1.3 1995/07/18 16:38:28 mark Exp $";
#endif /* lint */
#endif
#include <stdio.h>
#include <krb.h>
/*
* krb_get_cred takes a service name, instance, and realm, and a
* structure of type CREDENTIALS to be filled in with ticket
* information. It then searches the ticket file for the appropriate
* ticket and fills in the structure with the corresponding
* information from the file. If successful, it returns KSUCCESS.
* On failure it returns a Kerberos error code.
*/
int
krb_get_cred(service,instance,realm,c)
char *service; /* Service name */
char *instance; /* Instance */
char *realm; /* Auth domain */
CREDENTIALS *c; /* Credentials struct */
{
int tf_status; /* return value of tf function calls */
/* Open ticket file and lock it for shared reading */
if ((tf_status = tf_init(TKT_FILE, R_TKT_FIL)) != KSUCCESS)
return(tf_status);
/* Copy principal's name and instance into the CREDENTIALS struc c */
if ( (tf_status = tf_get_pname(c->pname)) != KSUCCESS ||
(tf_status = tf_get_pinst(c->pinst)) != KSUCCESS )
return (tf_status);
/* Search for requested service credentials and copy into c */
while ((tf_status = tf_get_cred(c)) == KSUCCESS) {
/* Is this the right ticket? */
if ((strcmp(c->service,service) == 0) &&
(strcmp(c->instance,instance) == 0) &&
(strcmp(c->realm,realm) == 0))
break;
}
(void) tf_close();
if (tf_status == EOF)
return (GC_NOTKT);
return(tf_status);
}
-286
View File
@@ -1,286 +0,0 @@
/*
* Copyright 1987, 1988 by the Massachusetts Institute of Technology.
* For copying and distribution information, please see the file
* <Copyright.MIT>.
*
* from: get_in_tkt.c,v 4.12 89/07/18 16:32:56 jtkohl Exp $
* $Id: get_in_tkt.c,v 1.3 1995/07/18 16:38:30 mark Exp $
*/
#if 0
#ifndef lint
static char rcsid[] =
"$Id: get_in_tkt.c,v 1.3 1995/07/18 16:38:30 mark Exp $";
#endif /* lint */
#endif
#include <krb.h>
#include <prot.h>
#ifndef NULL
#define NULL 0
#endif
/*
* This file contains two routines: passwd_to_key() converts
* a password into a DES key (prompting for the password if
* not supplied), and krb_get_pw_in_tkt() gets an initial ticket for
* a user.
*/
/*
* passwd_to_key(): given a password, return a DES key.
* There are extra arguments here which (used to be?)
* used by srvtab_to_key().
*
* If the "passwd" argument is not null, generate a DES
* key from it, using string_to_key().
*
* If the "passwd" argument is null, call des_read_password()
* to prompt for a password and then convert it into a DES key.
*
* In either case, the resulting key is put in the "key" argument,
* and 0 is returned.
*/
/*ARGSUSED */
static int passwd_to_key(user,instance,realm,passwd,key)
char *user, *instance, *realm, *passwd;
C_Block *key;
{
#ifdef NOENCRYPTION
if (!passwd)
placebo_read_password(key, "Password: ", 0);
#else
if (passwd)
string_to_key(passwd,key);
else
des_read_password(key,"Password: ",0);
#endif
return (0);
}
/*
* krb_get_pw_in_tkt() takes the name of the server for which the initial
* ticket is to be obtained, the name of the principal the ticket is
* for, the desired lifetime of the ticket, and the user's password.
* It passes its arguments on to krb_get_in_tkt(), which contacts
* Kerberos to get the ticket, decrypts it using the password provided,
* and stores it away for future use.
*
* krb_get_pw_in_tkt() passes two additional arguments to krb_get_in_tkt():
* the name of a routine (passwd_to_key()) to be used to get the
* password in case the "password" argument is null and NULL for the
* decryption procedure indicating that krb_get_in_tkt should use the
* default method of decrypting the response from the KDC.
*
* The result of the call to krb_get_in_tkt() is returned.
*/
int
krb_get_pw_in_tkt(user,instance,realm,service,sinstance,life,password)
char *user, *instance, *realm, *service, *sinstance;
int life;
char *password;
{
return(krb_get_in_tkt(user,instance,realm,service,sinstance,life,
passwd_to_key, NULL, password));
}
#ifdef NOENCRYPTION
/*
* $Source: /usr/cvs/src/eBones/krb/get_in_tkt.c,v $
* $Author: mark $
*
* Copyright 1985, 1986, 1987, 1988 by the Massachusetts Institute
* of Technology.
*
* For copying and distribution information, please see the file
* <mit-copyright.h>.
*
* This routine prints the supplied string to standard
* output as a prompt, and reads a password string without
* echoing.
*/
#include <des.h>
#include "conf.h"
#include <stdio.h>
#ifdef BSDUNIX
#include <strings.h>
#include <sys/ioctl.h>
#include <signal.h>
#include <setjmp.h>
#else
/* char *strcpy();
int strcmp(); */
#endif
#ifdef BSDUNIX
static jmp_buf env;
#endif
#ifdef BSDUNIX
static void sig_restore();
static push_signals(), pop_signals();
int placebo_read_pw_string();
#endif
/*** Routines ****************************************************** */
int
placebo_read_password(k,prompt,verify)
des_cblock *k;
char *prompt;
int verify;
{
int ok;
char key_string[BUFSIZ];
#ifdef BSDUNIX
if (setjmp(env)) {
ok = -1;
goto lose;
}
#endif
ok = placebo_read_pw_string(key_string, BUFSIZ, prompt, verify);
if (ok == 0)
bzero(k, sizeof(C_Block));
lose:
bzero(key_string, sizeof (key_string));
return ok;
}
/*
* This version just returns the string, doesn't map to key.
*
* Returns 0 on success, non-zero on failure.
*/
int
placebo_read_pw_string(s,max,prompt,verify)
char *s;
int max;
char *prompt;
int verify;
{
int ok = 0;
char *ptr;
#ifdef BSDUNIX
jmp_buf old_env;
struct sgttyb tty_state;
#endif
char key_string[BUFSIZ];
if (max > BUFSIZ) {
return -1;
}
#ifdef BSDUNIX
bcopy(old_env, env, sizeof(env));
if (setjmp(env))
goto lose;
/* save terminal state*/
if (ioctl(0,TIOCGETP,&tty_state) == -1)
return -1;
push_signals();
/* Turn off echo */
tty_state.sg_flags &= ~ECHO;
if (ioctl(0,TIOCSETP,&tty_state) == -1)
return -1;
#endif
while (!ok) {
printf(prompt);
fflush(stdout);
#ifdef CROSSMSDOS
h19line(s,sizeof(s),0);
if (!strlen(s))
continue;
#else
if (!fgets(s, max, stdin)) {
clearerr(stdin);
continue;
}
if ((ptr = index(s, '\n')))
*ptr = '\0';
#endif
if (verify) {
printf("\nVerifying, please re-enter %s",prompt);
fflush(stdout);
#ifdef CROSSMSDOS
h19line(key_string,sizeof(key_string),0);
if (!strlen(key_string))
continue;
#else
if (!fgets(key_string, sizeof(key_string), stdin)) {
clearerr(stdin);
continue;
}
if ((ptr = index(key_string, '\n')))
*ptr = '\0';
#endif
if (strcmp(s,key_string)) {
printf("\n\07\07Mismatch - try again\n");
fflush(stdout);
continue;
}
}
ok = 1;
}
#ifdef BSDUNIX
lose:
if (!ok)
bzero(s, max);
printf("\n");
/* turn echo back on */
tty_state.sg_flags |= ECHO;
if (ioctl(0,TIOCSETP,&tty_state))
ok = 0;
pop_signals();
bcopy(env, old_env, sizeof(env));
#endif
if (verify)
bzero(key_string, sizeof (key_string));
s[max-1] = 0; /* force termination */
return !ok; /* return nonzero if not okay */
}
#ifdef BSDUNIX
/*
* this can be static since we should never have more than
* one set saved....
*/
#ifdef POSIX
static void (*old_sigfunc[NSIG])();
#else
static int (*old_sigfunc[NSIG])();
#endif POSIX
static push_signals()
{
register i;
for (i = 0; i < NSIG; i++)
old_sigfunc[i] = signal(i,sig_restore);
}
static pop_signals()
{
register i;
for (i = 0; i < NSIG; i++)
signal(i,old_sigfunc[i]);
}
static void sig_restore(sig,code,scp)
int sig,code;
struct sigcontext *scp;
{
longjmp(env,1);
}
#endif
#endif /* NOENCRYPTION */
-87
View File
@@ -1,87 +0,0 @@
/*
* Copyright 1985, 1986, 1987, 1988 by the Massachusetts Institute
* of Technology.
* For copying and distribution information, please see the file
* <Copyright.MIT>.
*
* from: get_krbhst.c,v 4.8 89/01/22 20:00:29 rfrench Exp $
* $Id: get_krbhst.c,v 1.3 1995/07/18 16:38:32 mark Exp $
*/
#if 0
#ifndef lint
static char *rcsid =
"$Id: get_krbhst.c,v 1.3 1995/07/18 16:38:32 mark Exp $";
#endif /* lint */
#endif
#include <stdio.h>
#include <krb.h>
#include <strings.h>
/*
* Given a Kerberos realm, find a host on which the Kerberos authenti-
* cation server can be found.
*
* krb_get_krbhst takes a pointer to be filled in, a pointer to the name
* of the realm for which a server is desired, and an integer, n, and
* returns (in h) the nth entry from the configuration file (KRB_CONF,
* defined in "krb.h") associated with the specified realm.
*
* On end-of-file, krb_get_krbhst returns KFAILURE. If n=1 and the
* configuration file does not exist, krb_get_krbhst will return KRB_HOST
* (also defined in "krb.h"). If all goes well, the routine returnes
* KSUCCESS.
*
* The KRB_CONF file contains the name of the local realm in the first
* line (not used by this routine), followed by lines indicating realm/host
* entries. The words "admin server" following the hostname indicate that
* the host provides an administrative database server.
*
* For example:
*
* ATHENA.MIT.EDU
* ATHENA.MIT.EDU kerberos-1.mit.edu admin server
* ATHENA.MIT.EDU kerberos-2.mit.edu
* LCS.MIT.EDU kerberos.lcs.mit.edu admin server
*
* This is a temporary hack to allow us to find the nearest system running
* kerberos. In the long run, this functionality will be provided by a
* nameserver.
*/
int
krb_get_krbhst(h,r,n)
char *h;
char *r;
int n;
{
FILE *cnffile;
char tr[REALM_SZ];
char linebuf[BUFSIZ];
register int i;
if ((cnffile = fopen(KRB_CONF,"r")) == NULL) {
if (n==1) {
(void) strcpy(h,KRB_HOST);
return(KSUCCESS);
}
else
return(KFAILURE);
}
if (fscanf(cnffile,"%s",tr) == EOF)
return(KFAILURE);
/* run through the file, looking for the nth server for this realm */
for (i = 1; i <= n;) {
if (fgets(linebuf, BUFSIZ, cnffile) == NULL) {
(void) fclose(cnffile);
return(KFAILURE);
}
if (sscanf(linebuf, "%s %s", tr, h) != 2)
continue;
if (!strcmp(tr,r))
i++;
}
(void) fclose(cnffile);
return(KSUCCESS);
}
-62
View File
@@ -1,62 +0,0 @@
/*
* Copyright 1985, 1986, 1987, 1988 by the Massachusetts Institute
* of Technology.
* For copying and distribution information, please see the file
* <Copyright.MIT>.
*
* from: get_krbrlm.c,v 4.8 89/01/22 20:02:54 rfrench Exp $
* $Id: get_krbrlm.c,v 1.3 1995/07/18 16:38:34 mark Exp $
*/
#if 0
#ifndef lint
static char *rcsid =
"$Id: get_krbrlm.c,v 1.3 1995/07/18 16:38:34 mark Exp $";
#endif /* lint */
#endif
#include <stdio.h>
#include <krb.h>
#include <strings.h>
/*
* krb_get_lrealm takes a pointer to a string, and a number, n. It fills
* in the string, r, with the name of the nth realm specified on the
* first line of the kerberos config file (KRB_CONF, defined in "krb.h").
* It returns 0 (KSUCCESS) on success, and KFAILURE on failure. If the
* config file does not exist, and if n=1, a successful return will occur
* with r = KRB_REALM (also defined in "krb.h").
*
* NOTE: for archaic & compatibility reasons, this routine will only return
* valid results when n = 1.
*
* For the format of the KRB_CONF file, see comments describing the routine
* krb_get_krbhst().
*/
int
krb_get_lrealm(r,n)
char *r;
int n;
{
FILE *cnffile, *fopen();
if (n > 1)
return(KFAILURE); /* Temporary restriction */
if ((cnffile = fopen(KRB_CONF, "r")) == NULL) {
if (n == 1) {
(void) strcpy(r, KRB_REALM);
return(KSUCCESS);
}
else
return(KFAILURE);
}
if (fscanf(cnffile,"%s",r) != 1) {
(void) fclose(cnffile);
return(KFAILURE);
}
(void) fclose(cnffile);
return(KSUCCESS);
}
-55
View File
@@ -1,55 +0,0 @@
/*
* Copyright 1988 by the Massachusetts Institute of Technology.
* For copying and distribution information, please see the file
* <Copyright.MIT>.
*
* from: get_phost.c,v 4.6 89/01/23 09:25:40 jtkohl Exp $
* $Id: get_phost.c,v 1.3 1995/07/18 16:38:35 mark Exp $
*/
#if 0
#ifndef lint
static char rcsid[] =
"$Id: get_phost.c,v 1.3 1995/07/18 16:38:35 mark Exp $";
#endif /* lint */
#endif
#include <stdio.h>
#include <ctype.h>
#include <netdb.h>
char *index();
/*
* This routine takes an alias for a host name and returns the first
* field, lower case, of its domain name. For example, if "menel" is
* an alias for host officially named "menelaus" (in /etc/hosts), for
* the host whose official name is "MENELAUS.MIT.EDU", the name "menelaus"
* is returned.
*
* This is done for historical Athena reasons: the Kerberos name of
* rcmd servers (rlogin, rsh, rcp) is of the form "rcmd.host@realm"
* where "host"is the lowercase for of the host name ("menelaus").
* This should go away: the instance should be the domain name
* (MENELAUS.MIT.EDU). But for now we need this routine...
*
* A pointer to the name is returned, if found, otherwise a pointer
* to the original "alias" argument is returned.
*/
char * krb_get_phost(alias)
char *alias;
{
struct hostent *h;
char *phost = alias;
if ((h=gethostbyname(alias)) != (struct hostent *)NULL ) {
char *p = index( h->h_name, '.' );
if (p)
*p = NULL;
p = phost = h->h_name;
do {
if (isupper(*p)) *p=tolower(*p);
} while (*p++);
}
return(phost);
}
-75
View File
@@ -1,75 +0,0 @@
/*
* Copyright 1986, 1987, 1988 by the Massachusetts Institute
* of Technology.
* For copying and distribution information, please see the file
* <Copyright.MIT>.
*
* from: get_pw_tkt.c,v 4.6 89/01/13 18:19:11 steiner Exp $
* $Id: get_pw_tkt.c,v 1.3 1995/07/18 16:38:37 mark Exp $
*/
#if 0
#ifndef lint
static char *rcsid =
"$Id: get_pw_tkt.c,v 1.3 1995/07/18 16:38:37 mark Exp $";
#endif /* lint */
#endif
#include <krb.h>
/*
* Get a ticket for the password-changing server ("changepw.KRB_MASTER").
*
* Given the name, instance, realm, and current password of the
* principal for which the user wants a password-changing-ticket,
* return either:
*
* GT_PW_BADPW if current password was wrong,
* GT_PW_NULL if principal had a NULL password,
* or the result of the krb_get_pw_in_tkt() call.
*
* First, try to get a ticket for "user.instance@realm" to use the
* "changepw.KRB_MASTER" server (KRB_MASTER is defined in "krb.h").
* The requested lifetime for the ticket is "1", and the current
* password is the "cpw" argument given.
*
* If the password was bad, give up.
*
* If the principal had a NULL password in the Kerberos database
* (indicating that the principal is known to Kerberos, but hasn't
* got a password yet), try instead to get a ticket for the principal
* "default.changepw@realm" to use the "changepw.KRB_MASTER" server.
* Use the password "changepwkrb" instead of "cpw". Return GT_PW_NULL
* if all goes well, otherwise the error.
*
* If this routine succeeds, a ticket and session key for either the
* principal "user.instance@realm" or "default.changepw@realm" to use
* the password-changing server will be in the user's ticket file.
*/
int
get_pw_tkt(user,instance,realm,cpw)
char *user;
char *instance;
char *realm;
char *cpw;
{
int kerror;
kerror = krb_get_pw_in_tkt(user, instance, realm, "changepw",
KRB_MASTER, 1, cpw);
if (kerror == INTK_BADPW)
return(GT_PW_BADPW);
if (kerror == KDC_NULL_KEY) {
kerror = krb_get_pw_in_tkt("default","changepw",realm,"changepw",
KRB_MASTER,1,"changepwkrb");
if (kerror)
return(kerror);
return(GT_PW_NULL);
}
return(kerror);
}
-55
View File
@@ -1,55 +0,0 @@
/*
* Copyright 1985, 1986, 1987, 1988 by the Massachusetts Institute
* of Technology.
* For copying and distribution information, please see the file
* <Copyright.MIT>.
*
* from: get_request.c,v 4.7 88/12/01 14:00:11 jtkohl Exp $
* $Id: get_request.c,v 1.3 1995/07/18 16:38:39 mark Exp $
*/
#if 0
#ifndef lint
static char *rcsid =
"$Id: get_request.c,v 1.3 1995/07/18 16:38:39 mark Exp $";
#endif /* lint */
#endif
#include <krb.h>
#include <prot.h>
/*
* This procedure is obsolete. It is used in the kerberos_slave
* code for Version 3 tickets.
*
* This procedure sets s_name, and instance to point to
* the corresponding fields from tne nth request in the packet.
* it returns the lifetime requested. Garbage will be returned
* if there are less than n requests in the packet.
*/
int
get_request(pkt, n, s_name, instance)
KTEXT pkt; /* The packet itself */
int n; /* Which request do we want */
char **s_name; /* Service name to be filled in */
char **instance; /* Instance name to be filled in */
{
/* Go to the beginning of the request list */
char *ptr = (char *) pkt_a_realm(pkt) + 6 +
strlen((char *)pkt_a_realm(pkt));
/* Read requests until we hit the right one */
while (n-- > 1) {
ptr++;
ptr += 1 + strlen(ptr);
ptr += 1 + strlen(ptr);
}
/* Set the arguments to point to the right place */
*s_name = 1 + ptr;
*instance = 2 + ptr + strlen(*s_name);
/* Return the requested lifetime */
return((int) *ptr);
}
-77
View File
@@ -1,77 +0,0 @@
/*
* Copyright 1987, 1988 by the Massachusetts Institute of Technology.
* For copying and distribution information, please see the file
* <Copyright.MIT>.
*
* from: get_svc_in_tkt.c,v 4.9 89/07/18 16:33:34 jtkohl Exp $
* $Id: get_svc_in_tkt.c,v 1.3 1995/07/18 16:38:41 mark Exp $
*/
#if 0
#ifndef lint
static char rcsid[] =
"$Id: get_svc_in_tkt.c,v 1.3 1995/07/18 16:38:41 mark Exp $";
#endif /* lint */
#endif
#include <krb.h>
#include <prot.h>
#ifndef NULL
#define NULL 0
#endif
/*
* This file contains two routines: srvtab_to_key(), which gets
* a server's key from a srvtab file, and krb_get_svc_in_tkt() which
* gets an initial ticket for a server.
*/
/*
* srvtab_to_key(): given a "srvtab" file (where the keys for the
* service on a host are stored), return the private key of the
* given service (user.instance@realm).
*
* srvtab_to_key() passes its arguments on to read_service_key(),
* plus one additional argument, the key version number.
* (Currently, the key version number is always 0; this value
* is treated as a wildcard by read_service_key().)
*
* If the "srvtab" argument is null, KEYFILE (defined in "krb.h")
* is passed in its place.
*
* It returns the return value of the read_service_key() call.
* The service key is placed in "key".
*/
static int
srvtab_to_key(user, instance, realm, srvtab, key)
char *user, *instance, *realm, *srvtab;
C_Block key;
{
if (!srvtab)
srvtab = KEYFILE;
return(read_service_key(user, instance, realm, 0, srvtab,
(char *)key));
}
/*
* krb_get_svc_in_tkt() passes its arguments on to krb_get_in_tkt(),
* plus two additional arguments: a pointer to the srvtab_to_key()
* function to be used to get the key from the key file and a NULL
* for the decryption procedure indicating that krb_get_in_tkt should
* use the default method of decrypting the response from the KDC.
*
* It returns the return value of the krb_get_in_tkt() call.
*/
int
krb_get_svc_in_tkt(user, instance, realm, service, sinstance, life, srvtab)
char *user, *instance, *realm, *service, *sinstance;
int life;
char *srvtab;
{
return(krb_get_in_tkt(user, instance, realm, service, sinstance,
life, srvtab_to_key, NULL, srvtab));
}
-69
View File
@@ -1,69 +0,0 @@
/*
* Copyright 1987, 1988 by the Massachusetts Institute of Technology.
* For copying and distribution information, please see the file
* <Copyright.MIT>.
*
* from: get_tf_fullname.c,v 4.3 90/03/10 22:40:20 jon Exp $
* $Id: get_tf_fullname.c,v 1.3 1995/07/18 16:38:42 mark Exp $
*/
#if 0
#ifndef lint
static char rcsid[] =
"$Id: get_tf_fullname.c,v 1.3 1995/07/18 16:38:42 mark Exp $";
#endif /* lint */
#endif
#include <krb.h>
#include <strings.h>
#include <stdio.h>
/*
* This file contains a routine to extract the fullname of a user
* from the ticket file.
*/
/*
* krb_get_tf_fullname() takes four arguments: the name of the
* ticket file, and variables for name, instance, and realm to be
* returned in. Since the realm of a ticket file is not really fully
* supported, the realm used will be that of the the first ticket in
* the file as this is the one that was obtained with a password by
* krb_get_in_tkt().
*/
int
krb_get_tf_fullname(ticket_file, name, instance, realm)
char *ticket_file;
char *name;
char *instance;
char *realm;
{
int tf_status;
CREDENTIALS c;
if ((tf_status = tf_init(ticket_file, R_TKT_FIL)) != KSUCCESS)
return(tf_status);
if (((tf_status = tf_get_pname(c.pname)) != KSUCCESS) ||
((tf_status = tf_get_pinst(c.pinst)) != KSUCCESS))
return (tf_status);
if (name)
strcpy(name, c.pname);
if (instance)
strcpy(instance, c.pinst);
if ((tf_status = tf_get_cred(&c)) == KSUCCESS) {
if (realm)
strcpy(realm, c.realm);
}
else {
if (tf_status == EOF)
return(KFAILURE);
else
return(tf_status);
}
(void) tf_close();
return(tf_status);
}
-37
View File
@@ -1,37 +0,0 @@
/*
* Copyright 1987, 1988 by the Massachusetts Institute of Technology.
* For copying and distribution information, please see the file
* <Copyright.MIT>.
*
* from: get_tf_realm.c,v 4.2 90/01/02 13:40:19 jtkohl Exp $
* $Id: get_tf_realm.c,v 1.3 1995/07/18 16:38:44 mark Exp $
*/
#if 0
#ifndef lint
static char rcsid[] =
"$Id: get_tf_realm.c,v 1.3 1995/07/18 16:38:44 mark Exp $";
#endif /* lint */
#endif
#include <krb.h>
#include <strings.h>
/*
* This file contains a routine to extract the realm of a kerberos
* ticket file.
*/
/*
* krb_get_tf_realm() takes two arguments: the name of a ticket
* and a variable to store the name of the realm in.
*
*/
int
krb_get_tf_realm(ticket_file, realm)
char *ticket_file;
char *realm;
{
return(krb_get_tf_fullname(ticket_file, 0, 0, realm));
}

Some files were not shown because too many files have changed in this diff Show More