2 * Copyright (c) 1989 Regents of the University of California.
3 * All rights reserved. The Berkeley software License Agreement
4 * specifies the terms and conditions for redistribution.
8 RCSID("$Id: pop_pass.c,v 1.41 2000/04/12 15:37:46 assar Exp $");
12 krb4_verify_password (POP
*p
)
15 char lrealm
[REALM_SZ
];
18 status
= krb_get_lrealm(lrealm
,1);
19 if (status
== KFAILURE
) {
20 pop_log(p
, POP_PRIORITY
, "%s: (%s.%s@%s) %s", p
->client
,
21 p
->kdata
.pname
, p
->kdata
.pinst
, p
->kdata
.prealm
,
22 krb_get_err_text(status
));
25 snprintf(tkt
, sizeof(tkt
), "%s_popper.%u", TKT_ROOT
, (unsigned)getpid());
26 krb_set_tkt_string (tkt
);
28 status
= krb_verify_user(p
->user
, "", lrealm
,
29 p
->pop_parm
[1], KRB_VERIFY_SECURE
, "pop");
30 dest_tkt(); /* no point in keeping the tickets */
37 krb5_verify_password (POP
*p
)
39 krb5_preauthtype pre_auth_types
[] = {KRB5_PADATA_ENC_TIMESTAMP
};
40 krb5_get_init_creds_opt get_options
;
41 krb5_verify_init_creds_opt verify_options
;
43 krb5_principal client
, server
;
46 krb5_get_init_creds_opt_init (&get_options
);
48 krb5_get_init_creds_opt_set_preauth_list (&get_options
,
52 krb5_verify_init_creds_opt_init (&verify_options
);
54 ret
= krb5_parse_name (p
->context
, p
->user
, &client
);
56 pop_log(p
, POP_PRIORITY
, "krb5_parse_name: %s",
57 krb5_get_err_text (p
->context
, ret
));
61 ret
= krb5_get_init_creds_password (p
->context
,
71 pop_log(p
, POP_PRIORITY
,
72 "krb5_get_init_creds_password: %s",
73 krb5_get_err_text (p
->context
, ret
));
77 ret
= krb5_sname_to_principal (p
->context
,
83 pop_log(p
, POP_PRIORITY
,
84 "krb5_get_init_creds_password: %s",
85 krb5_get_err_text (p
->context
, ret
));
89 ret
= krb5_verify_init_creds (p
->context
,
95 krb5_free_principal (p
->context
, client
);
96 krb5_free_principal (p
->context
, server
);
97 krb5_free_creds_contents (p
->context
, &creds
);
102 * pass: Obtain the user password from a POP client
112 /* Make one string of all these parameters */
114 for (i
= 1; i
< p
->parm_count
; ++i
)
115 p
->pop_parm
[i
][strlen(p
->pop_parm
[i
])] = ' ';
117 /* Look for the user in the password file */
118 if ((pw
= k_getpwnam(p
->user
)) == NULL
)
119 return (pop_msg(p
,POP_FAILURE
,
120 "Password supplied for \"%s\" is incorrect.",
125 if (p
->version
== 4) {
126 if(kuserok (&p
->kdata
, p
->user
)) {
127 pop_log(p
, POP_PRIORITY
,
128 "%s: (%s.%s@%s) tried to retrieve mail for %s.",
129 p
->client
, p
->kdata
.pname
, p
->kdata
.pinst
,
130 p
->kdata
.prealm
, p
->user
);
131 return(pop_msg(p
,POP_FAILURE
,
132 "Popping not authorized"));
134 pop_log(p
, POP_INFO
, "%s: %s.%s@%s -> %s",
136 p
->kdata
.pname
, p
->kdata
.pinst
, p
->kdata
.prealm
,
141 if (p
->version
== 5) {
144 if (!krb5_kuserok (p
->context
, p
->principal
, p
->user
)) {
145 pop_log (p
, POP_PRIORITY
,
146 "krb5 permission denied");
147 return pop_msg(p
, POP_FAILURE
,
148 "Popping not authorized");
150 if(krb5_unparse_name (p
->context
, p
->principal
, &name
) == 0) {
151 pop_log(p
, POP_INFO
, "%s: %s -> %s",
152 p
->ipaddr
, name
, p
->user
);
156 pop_log (p
, POP_PRIORITY
, "kerberos authentication failed");
157 return pop_msg (p
, POP_FAILURE
,
158 "kerberos authentication failed");
163 /* We don't accept connections from users with null passwords */
164 if (pw
->pw_passwd
== NULL
)
167 "Password supplied for \"%s\" is incorrect.",
171 if (otp_verify_user (&p
->otp_ctx
, p
->pop_parm
[1]) == 0)
175 /* Compare the supplied password with the password file entry */
176 if (p
->auth_level
!= AUTH_NONE
)
177 return pop_msg(p
, POP_FAILURE
,
178 "Password supplied for \"%s\" is incorrect.",
180 else if (!strcmp(crypt(p
->pop_parm
[1], pw
->pw_passwd
), pw
->pw_passwd
))
185 ret
= krb4_verify_password (p
);
189 ret
= krb5_verify_password (p
);
192 return pop_msg(p
, POP_FAILURE
,
193 "Password incorrect");
196 pop_log(p
, POP_INFO
, "login from %s as %s",
199 /* Build the name of the user's maildrop */
200 snprintf(p
->drop_name
, sizeof(p
->drop_name
), "%s/%s", POP_MAILDIR
, p
->user
);
202 if(stat(p
->drop_name
, &st
) < 0 || !S_ISDIR(st
.st_mode
)){
203 /* Make a temporary copy of the user's maildrop */
204 /* and set the group and user id */
205 if (pop_dropcopy(p
, pw
) != POP_SUCCESS
) return (POP_FAILURE
);
207 /* Get information about the maildrop */
208 if (pop_dropinfo(p
) != POP_SUCCESS
) return(POP_FAILURE
);
210 if(changeuser(p
, pw
) != POP_SUCCESS
) return POP_FAILURE
;
211 if(pop_maildir_info(p
) != POP_SUCCESS
) return POP_FAILURE
;
213 /* Initialize the last-message-accessed number */
216 /* Authorization completed successfully */
217 return (pop_msg (p
, POP_SUCCESS
,
218 "%s has %d message(s) (%ld octets).",
219 p
->user
, p
->msg_count
, p
->drop_size
));