2 * Copyright (c) 1997-2002 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
34 #include "kpasswd_locl.h"
37 #include <kadm5/admin.h>
42 #include <kadm5/private.h>
44 static krb5_context context
;
45 static krb5_log_facility
*log_facility
;
47 static sig_atomic_t exit_flag
= 0;
58 u_int16_t len
, ap_rep_len
;
63 ap_rep_len
= ap_rep
->length
;
67 len
= 6 + ap_rep_len
+ rest
->length
;
69 *p
++ = (len
>> 8) & 0xFF;
70 *p
++ = (len
>> 0) & 0xFF;
73 *p
++ = (ap_rep_len
>> 8) & 0xFF;
74 *p
++ = (ap_rep_len
>> 0) & 0xFF;
76 memset (&msghdr
, 0, sizeof(msghdr
));
77 msghdr
.msg_name
= (void *)sa
;
78 msghdr
.msg_namelen
= sa_size
;
80 msghdr
.msg_iovlen
= sizeof(iov
)/sizeof(*iov
);
82 msghdr
.msg_control
= NULL
;
83 msghdr
.msg_controllen
= 0;
86 iov
[0].iov_base
= (char *)header
;
89 iov
[1].iov_base
= ap_rep
->data
;
90 iov
[1].iov_len
= ap_rep
->length
;
92 iov
[1].iov_base
= NULL
;
95 iov
[2].iov_base
= rest
->data
;
96 iov
[2].iov_len
= rest
->length
;
98 if (sendmsg (s
, &msghdr
, 0) < 0)
99 krb5_warn (context
, errno
, "sendmsg");
103 make_result (krb5_data
*data
,
104 u_int16_t result_code
,
107 krb5_data_zero (data
);
109 data
->length
= asprintf ((char **)&data
->data
,
111 (result_code
>> 8) & 0xFF,
115 if (data
->data
== NULL
) {
116 krb5_warnx (context
, "Out of memory generating error reply");
123 reply_error (krb5_principal server
,
127 krb5_error_code error_code
,
128 u_int16_t result_code
,
132 krb5_data error_data
;
135 if (make_result(&e_data
, result_code
, expl
))
138 ret
= krb5_mk_error (context
,
147 krb5_data_free (&e_data
);
149 krb5_warn (context
, ret
, "Could not even generate error reply");
152 send_reply (s
, sa
, sa_size
, NULL
, &error_data
);
153 krb5_data_free (&error_data
);
157 reply_priv (krb5_auth_context auth_context
,
161 u_int16_t result_code
,
165 krb5_data krb_priv_data
;
166 krb5_data ap_rep_data
;
169 ret
= krb5_mk_rep (context
,
173 krb5_warn (context
, ret
, "Could not even generate error reply");
177 if (make_result(&e_data
, result_code
, expl
))
180 ret
= krb5_mk_priv (context
,
185 krb5_data_free (&e_data
);
187 krb5_warn (context
, ret
, "Could not even generate error reply");
190 send_reply (s
, sa
, sa_size
, &ap_rep_data
, &krb_priv_data
);
191 krb5_data_free (&ap_rep_data
);
192 krb5_data_free (&krb_priv_data
);
196 * Change the password for `principal', sending the reply back on `s'
197 * (`sa', `sa_size') to `pwd_data'.
201 change (krb5_auth_context auth_context
,
202 krb5_principal principal
,
210 const char *pwd_reason
;
211 kadm5_config_params conf
;
215 memset (&conf
, 0, sizeof(conf
));
217 krb5_unparse_name (context
, principal
, &client
);
219 ret
= kadm5_init_with_password_ctx(context
,
227 krb5_warn (context
, ret
, "kadm5_init_with_password_ctx");
228 reply_priv (auth_context
, s
, sa
, sa_size
, 2,
233 krb5_warnx (context
, "Changing password for %s", client
);
236 pwd_reason
= kadm5_check_password_quality (context
, principal
, pwd_data
);
237 if (pwd_reason
!= NULL
) {
238 krb5_warnx (context
, "%s", pwd_reason
);
239 reply_priv (auth_context
, s
, sa
, sa_size
, 4, pwd_reason
);
240 kadm5_destroy (kadm5_handle
);
244 tmp
= malloc (pwd_data
->length
+ 1);
246 krb5_warnx (context
, "malloc: out of memory");
247 reply_priv (auth_context
, s
, sa
, sa_size
, 2,
251 memcpy (tmp
, pwd_data
->data
, pwd_data
->length
);
252 tmp
[pwd_data
->length
] = '\0';
254 ret
= kadm5_s_chpass_principal_cond (kadm5_handle
, principal
, tmp
);
255 memset (tmp
, 0, pwd_data
->length
);
258 krb5_warn (context
, ret
, "kadm5_s_chpass_principal_cond");
259 reply_priv (auth_context
, s
, sa
, sa_size
, 2,
263 reply_priv (auth_context
, s
, sa
, sa_size
, 0, "Password changed");
265 kadm5_destroy (kadm5_handle
);
269 verify (krb5_auth_context
*auth_context
,
270 krb5_principal server
,
272 krb5_ticket
**ticket
,
281 u_int16_t pkt_len
, pkt_ver
, ap_req_len
;
282 krb5_data ap_req_data
;
283 krb5_data krb_priv_data
;
285 pkt_len
= (msg
[0] << 8) | (msg
[1]);
286 pkt_ver
= (msg
[2] << 8) | (msg
[3]);
287 ap_req_len
= (msg
[4] << 8) | (msg
[5]);
288 if (pkt_len
!= len
) {
289 krb5_warnx (context
, "Strange len: %ld != %ld",
290 (long)pkt_len
, (long)len
);
291 reply_error (server
, s
, sa
, sa_size
, 0, 1, "Bad request");
294 if (pkt_ver
!= 0x0001) {
295 krb5_warnx (context
, "Bad version (%d)", pkt_ver
);
296 reply_error (server
, s
, sa
, sa_size
, 0, 1, "Wrong program version");
300 ap_req_data
.data
= msg
+ 6;
301 ap_req_data
.length
= ap_req_len
;
303 ret
= krb5_rd_req (context
,
311 if(ret
== KRB5_KT_NOTFOUND
) {
313 krb5_unparse_name(context
, server
, &name
);
314 krb5_warnx (context
, "krb5_rd_req: %s (%s)",
315 krb5_get_err_text(context
, ret
), name
);
318 krb5_warn (context
, ret
, "krb5_rd_req");
319 reply_error (server
, s
, sa
, sa_size
, ret
, 3, "Authentication failed");
323 if (!(*ticket
)->ticket
.flags
.initial
) {
324 krb5_warnx (context
, "initial flag not set");
325 reply_error (server
, s
, sa
, sa_size
, ret
, 1,
329 krb_priv_data
.data
= msg
+ 6 + ap_req_len
;
330 krb_priv_data
.length
= len
- 6 - ap_req_len
;
332 ret
= krb5_rd_priv (context
,
339 krb5_warn (context
, ret
, "krb5_rd_priv");
340 reply_error (server
, s
, sa
, sa_size
, ret
, 3, "Bad request");
345 krb5_free_ticket (context
, *ticket
);
350 process (krb5_principal server
,
353 krb5_address
*this_addr
,
360 krb5_auth_context auth_context
= NULL
;
363 krb5_address other_addr
;
365 krb5_data_zero (&out_data
);
367 ret
= krb5_auth_con_init (context
, &auth_context
);
369 krb5_warn (context
, ret
, "krb5_auth_con_init");
373 krb5_auth_con_setflags (context
, auth_context
,
374 KRB5_AUTH_CONTEXT_DO_SEQUENCE
);
376 ret
= krb5_sockaddr2address (context
, sa
, &other_addr
);
378 krb5_warn (context
, ret
, "krb5_sockaddr2address");
382 ret
= krb5_auth_con_setaddrs (context
,
386 krb5_free_address (context
, &other_addr
);
388 krb5_warn (context
, ret
, "krb5_auth_con_setaddr");
392 if (verify (&auth_context
, server
, keytab
, &ticket
, &out_data
,
393 s
, sa
, sa_size
, msg
, len
) == 0) {
394 change (auth_context
,
399 memset (out_data
.data
, 0, out_data
.length
);
400 krb5_free_ticket (context
, ticket
);
405 krb5_data_free (&out_data
);
406 krb5_auth_con_free (context
, auth_context
);
410 doit (krb5_keytab keytab
, int port
)
413 krb5_principal server
;
417 krb5_addresses addrs
;
420 struct sockaddr_storage __ss
;
421 struct sockaddr
*sa
= (struct sockaddr
*)&__ss
;
423 ret
= krb5_get_default_realm (context
, &realm
);
425 krb5_err (context
, 1, ret
, "krb5_get_default_realm");
427 ret
= krb5_build_principal (context
,
435 krb5_err (context
, 1, ret
, "krb5_build_principal");
439 ret
= krb5_get_all_server_addrs (context
, &addrs
);
441 krb5_err (context
, 1, ret
, "krb5_get_all_server_addrs");
445 sockets
= malloc (n
* sizeof(*sockets
));
447 krb5_errx (context
, 1, "out of memory");
449 FD_ZERO(&real_fdset
);
450 for (i
= 0; i
< n
; ++i
) {
451 int sa_size
= sizeof(__ss
);
453 krb5_addr2sockaddr (context
, &addrs
.val
[i
], sa
, &sa_size
, port
);
455 sockets
[i
] = socket (sa
->sa_family
, SOCK_DGRAM
, 0);
457 krb5_err (context
, 1, errno
, "socket");
458 if (bind (sockets
[i
], sa
, sa_size
) < 0) {
461 int save_errno
= errno
;
463 ret
= krb5_print_address (&addrs
.val
[i
], str
, sizeof(str
), &len
);
465 strlcpy(str
, "unknown address", sizeof(str
));
466 krb5_warn (context
, save_errno
, "bind(%s)", str
);
469 maxfd
= max (maxfd
, sockets
[i
]);
470 if (maxfd
>= FD_SETSIZE
)
471 krb5_errx (context
, 1, "fd too large");
472 FD_SET(sockets
[i
], &real_fdset
);
475 krb5_errx (context
, 1, "No sockets!");
477 while(exit_flag
== 0) {
479 fd_set fdset
= real_fdset
;
481 ret
= select (maxfd
+ 1, &fdset
, NULL
, NULL
, NULL
);
486 krb5_err (context
, 1, errno
, "select");
488 for (i
= 0; i
< n
; ++i
)
489 if (FD_ISSET(sockets
[i
], &fdset
)) {
491 socklen_t addrlen
= sizeof(__ss
);
493 ret
= recvfrom (sockets
[i
], buf
, sizeof(buf
), 0,
499 krb5_err (context
, 1, errno
, "recvfrom");
502 process (server
, keytab
, sockets
[i
],
508 krb5_free_addresses (context
, &addrs
);
509 krb5_free_principal (context
, server
);
510 krb5_free_context (context
);
520 const char *check_library
= NULL
;
521 const char *check_function
= NULL
;
522 char *keytab_str
= "HDB:";
528 struct getargs args
[] = {
530 { "check-library", 0, arg_string
, &check_library
,
531 "library to load password check function from", "library" },
532 { "check-function", 0, arg_string
, &check_function
,
533 "password check function to load", "function" },
535 { "keytab", 'k', arg_string
, &keytab_str
,
536 "keytab to get authentication key from", "kspec" },
537 { "realm", 'r', arg_string
, &realm_str
, "default realm", "realm" },
538 { "port", 'p', arg_string
, &port_str
, "port" },
539 { "version", 0, arg_flag
, &version_flag
},
540 { "help", 0, arg_flag
, &help_flag
}
542 int num_args
= sizeof(args
) / sizeof(args
[0]);
545 main (int argc
, char **argv
)
552 optind
= krb5_program_setup(&context
, argc
, argv
, args
, num_args
, NULL
);
555 krb5_std_usage(0, args
, num_args
);
562 krb5_set_default_realm(context
, realm_str
);
564 krb5_openlog (context
, "kpasswdd", &log_facility
);
565 krb5_set_warn_dest(context
, log_facility
);
567 if (port_str
!= NULL
) {
568 struct servent
*s
= roken_getservbyname (port_str
, "udp");
575 port
= strtol (port_str
, &ptr
, 10);
576 if (port
== 0 && ptr
== port_str
)
577 krb5_errx (context
, 1, "bad port `%s'", port_str
);
581 port
= krb5_getportbyname (context
, "kpasswd", "udp", KPASSWD_PORT
);
583 ret
= krb5_kt_register(context
, &hdb_kt_ops
);
585 krb5_err(context
, 1, ret
, "krb5_kt_register");
587 ret
= krb5_kt_resolve(context
, keytab_str
, &keytab
);
589 krb5_err(context
, 1, ret
, "%s", keytab_str
);
591 kadm5_setup_passwd_quality_check (context
, check_library
, check_function
);
593 #ifdef HAVE_SIGACTION
598 sa
.sa_handler
= sigterm
;
599 sigemptyset(&sa
.sa_mask
);
601 sigaction(SIGINT
, &sa
, NULL
);
602 sigaction(SIGTERM
, &sa
, NULL
);
605 signal(SIGINT
, sigterm
);
606 signal(SIGTERM
, sigterm
);
611 return doit (keytab
, port
);