search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Merge pull request #58 from pettai/heimdal-1-5-branch
[heimdal.git] / kpasswd / kpasswdd.c
blobf4492c7ae83202768ba99870324f33b9f5673432
1 /*
2 * Copyright (c) 1997-2005 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
4 * All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 *
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 *
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 *
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34 #include "kpasswd_locl.h"
35 RCSID("$Id$");
36
37 #include <kadm5/admin.h>
38 #ifdef HAVE_SYS_UN_H
39 #include <sys/un.h>
40 #endif
41 #include <hdb.h>
42 #include <kadm5/private.h>
43
44 static krb5_context context;
45 static krb5_log_facility *log_facility;
46
47 static struct getarg_strings addresses_str;
48 krb5_addresses explicit_addresses;
49
50 static sig_atomic_t exit_flag = 0;
51
52 static void
53 add_one_address (const char *str, int first)
54 {
55 krb5_error_code ret;
56 krb5_addresses tmp;
57
58 ret = krb5_parse_address (context, str, &tmp);
59 if (ret)
60 krb5_err (context, 1, ret, "parse_address `%s'", str);
61 if (first)
62 krb5_copy_addresses(context, &tmp, &explicit_addresses);
63 else
64 krb5_append_addresses(context, &explicit_addresses, &tmp);
65 krb5_free_addresses (context, &tmp);
66 }
67
68 static void
69 send_reply (int s,
70 struct sockaddr *sa,
71 int sa_size,
72 krb5_data *ap_rep,
73 krb5_data *rest)
74 {
75 struct msghdr msghdr;
76 struct iovec iov[3];
77 uint16_t len, ap_rep_len;
78 u_char header[6];
79 u_char *p;
80
81 if (ap_rep)
82 ap_rep_len = ap_rep->length;
83 else
84 ap_rep_len = 0;
85
86 len = 6 + ap_rep_len + rest->length;
87 p = header;
88 *p++ = (len >> 8) & 0xFF;
89 *p++ = (len >> 0) & 0xFF;
90 *p++ = 0;
91 *p++ = 1;
92 *p++ = (ap_rep_len >> 8) & 0xFF;
93 *p++ = (ap_rep_len >> 0) & 0xFF;
94
95 memset (&msghdr, 0, sizeof(msghdr));
96 msghdr.msg_name = (void *)sa;
97 msghdr.msg_namelen = sa_size;
98 msghdr.msg_iov = iov;
99 msghdr.msg_iovlen = sizeof(iov)/sizeof(*iov);
100 #if 0
101 msghdr.msg_control = NULL;
102 msghdr.msg_controllen = 0;
103 #endif
104
105 iov[0].iov_base = (char *)header;
106 iov[0].iov_len = 6;
107 if (ap_rep_len) {
108 iov[1].iov_base = ap_rep->data;
109 iov[1].iov_len = ap_rep->length;
110 } else {
111 iov[1].iov_base = NULL;
112 iov[1].iov_len = 0;
113 }
114 iov[2].iov_base = rest->data;
115 iov[2].iov_len = rest->length;
116
117 if (sendmsg (s, &msghdr, 0) < 0)
118 krb5_warn (context, errno, "sendmsg");
119 }
120
121 static int
122 make_result (krb5_data *data,
123 uint16_t result_code,
124 const char *expl)
125 {
126 krb5_error_code ret;
127 krb5_storage *sp;
128
129 sp = krb5_storage_emem();
130 if (sp == NULL) goto out;
131 ret = krb5_store_uint16(sp, result_code);
132 if (ret) goto out;
133 ret = krb5_store_stringz(sp, expl);
134 if (ret) goto out;
135 ret = krb5_storage_to_data(sp, data);
136 if (ret) goto out;
137 krb5_storage_free(sp);
138
139 return 0;
140 out:
141 if (sp)
142 krb5_storage_free(sp);
143
144 krb5_warnx (context, "Out of memory generating error reply");
145 return 1;
146 }
147
148 static void
149 reply_error (krb5_realm realm,
150 int s,
151 struct sockaddr *sa,
152 int sa_size,
153 krb5_error_code error_code,
154 uint16_t result_code,
155 const char *expl)
156 {
157 krb5_error_code ret;
158 krb5_data error_data;
159 krb5_data e_data;
160 krb5_principal server = NULL;
161
162 if (make_result(&e_data, result_code, expl))
163 return;
164
165 if (realm) {
166 ret = krb5_make_principal (context, &server, realm,
167 "kadmin", "changepw", NULL);
168 if (ret) {
169 krb5_data_free (&e_data);
170 return;
171 }
172 }
173
174 ret = krb5_mk_error (context,
175 error_code,
176 NULL,
177 &e_data,
178 NULL,
179 server,
180 NULL,
181 NULL,
182 &error_data);
183 if (server)
184 krb5_free_principal(context, server);
185 krb5_data_free (&e_data);
186 if (ret) {
187 krb5_warn (context, ret, "Could not even generate error reply");
188 return;
189 }
190 send_reply (s, sa, sa_size, NULL, &error_data);
191 krb5_data_free (&error_data);
192 }
193
194 static void
195 reply_priv (krb5_auth_context auth_context,
196 int s,
197 struct sockaddr *sa,
198 int sa_size,
199 uint16_t result_code,
200 const char *expl)
201 {
202 krb5_error_code ret;
203 krb5_data krb_priv_data;
204 krb5_data ap_rep_data;
205 krb5_data e_data;
206
207 ret = krb5_mk_rep (context,
208 auth_context,
209 &ap_rep_data);
210 if (ret) {
211 krb5_warn (context, ret, "Could not even generate error reply");
212 return;
213 }
214
215 if (make_result(&e_data, result_code, expl))
216 return;
217
218 ret = krb5_mk_priv (context,
219 auth_context,
220 &e_data,
221 &krb_priv_data,
222 NULL);
223 krb5_data_free (&e_data);
224 if (ret) {
225 krb5_warn (context, ret, "Could not even generate error reply");
226 return;
227 }
228 send_reply (s, sa, sa_size, &ap_rep_data, &krb_priv_data);
229 krb5_data_free (&ap_rep_data);
230 krb5_data_free (&krb_priv_data);
231 }
232
233 /*
234 * Change the password for `principal', sending the reply back on `s'
235 * (`sa', `sa_size') to `pwd_data'.
236 */
237
238 static void
239 change (krb5_auth_context auth_context,
240 krb5_principal admin_principal,
241 uint16_t version,
242 int s,
243 struct sockaddr *sa,
244 int sa_size,
245 krb5_data *in_data)
246 {
247 krb5_error_code ret;
248 char *client = NULL, *admin = NULL;
249 const char *pwd_reason;
250 kadm5_config_params conf;
251 void *kadm5_handle = NULL;
252 krb5_principal principal = NULL;
253 krb5_data *pwd_data = NULL;
254 char *tmp;
255 ChangePasswdDataMS chpw;
256
257 memset (&conf, 0, sizeof(conf));
258 memset(&chpw, 0, sizeof(chpw));
259
260 if (version == KRB5_KPASSWD_VERS_CHANGEPW) {
261 ret = krb5_copy_data(context, in_data, &pwd_data);
262 if (ret) {
263 krb5_warn (context, ret, "krb5_copy_data");
264 reply_priv (auth_context, s, sa, sa_size, KRB5_KPASSWD_MALFORMED,
265 "out out memory copying password");
266 return;
267 }
268 principal = admin_principal;
269 } else if (version == KRB5_KPASSWD_VERS_SETPW) {
270 size_t len;
271
272 ret = decode_ChangePasswdDataMS(in_data->data, in_data->length,
273 &chpw, &len);
274 if (ret) {
275 krb5_warn (context, ret, "decode_ChangePasswdDataMS");
276 reply_priv (auth_context, s, sa, sa_size, KRB5_KPASSWD_MALFORMED,
277 "malformed ChangePasswdData");
278 return;
279 }
280
281
282 ret = krb5_copy_data(context, &chpw.newpasswd, &pwd_data);
283 if (ret) {
284 krb5_warn (context, ret, "krb5_copy_data");
285 reply_priv (auth_context, s, sa, sa_size, KRB5_KPASSWD_MALFORMED,
286 "out out memory copying password");
287 goto out;
288 }
289
290 if (chpw.targname == NULL && chpw.targrealm != NULL) {
291 krb5_warn (context, ret, "kadm5_init_with_password_ctx");
292 reply_priv (auth_context, s, sa, sa_size,
293 KRB5_KPASSWD_MALFORMED,
294 "targrealm but not targname");
295 goto out;
296 }
297
298 if (chpw.targname) {
299 krb5_principal_data princ;
300
301 princ.name = *chpw.targname;
302 princ.realm = *chpw.targrealm;
303 if (princ.realm == NULL) {
304 ret = krb5_get_default_realm(context, &princ.realm);
305
306 if (ret) {
307 krb5_warnx (context,
308 "kadm5_init_with_password_ctx: "
309 "failed to allocate realm");
310 reply_priv (auth_context, s, sa, sa_size,
311 KRB5_KPASSWD_SOFTERROR,
312 "failed to allocate realm");
313 goto out;
314 }
315 }
316 ret = krb5_copy_principal(context, &princ, &principal);
317 if (*chpw.targrealm == NULL)
318 free(princ.realm);
319 if (ret) {
320 krb5_warn(context, ret, "krb5_copy_principal");
321 reply_priv(auth_context, s, sa, sa_size,
322 KRB5_KPASSWD_HARDERROR,
323 "failed to allocate principal");
324 goto out;
325 }
326 } else
327 principal = admin_principal;
328 } else {
329 krb5_warnx (context, "kadm5_init_with_password_ctx: unknown proto");
330 reply_priv (auth_context, s, sa, sa_size,
331 KRB5_KPASSWD_HARDERROR,
332 "Unknown protocol used");
333 return;
334 }
335
336 ret = krb5_unparse_name (context, admin_principal, &admin);
337 if (ret) {
338 krb5_warn (context, ret, "unparse_name failed");
339 reply_priv (auth_context, s, sa, sa_size,
340 KRB5_KPASSWD_HARDERROR, "out of memory error");
341 goto out;
342 }
343
344 conf.realm = principal->realm;
345 conf.mask |= KADM5_CONFIG_REALM;
346
347 ret = kadm5_init_with_password_ctx(context,
348 admin,
349 NULL,
350 KADM5_ADMIN_SERVICE,
351 &conf, 0, 0,
352 &kadm5_handle);
353 if (ret) {
354 krb5_warn (context, ret, "kadm5_init_with_password_ctx");
355 reply_priv (auth_context, s, sa, sa_size, 2,
356 "Internal error");
357 goto out;
358 }
359
360 ret = krb5_unparse_name(context, principal, &client);
361 if (ret) {
362 krb5_warn (context, ret, "unparse_name failed");
363 reply_priv (auth_context, s, sa, sa_size,
364 KRB5_KPASSWD_HARDERROR, "out of memory error");
365 goto out;
366 }
367
368 /*
369 * Check password quality if not changing as administrator
370 */
371
372 if (krb5_principal_compare(context, admin_principal, principal) == TRUE) {
373
374 pwd_reason = kadm5_check_password_quality (context, principal,
375 pwd_data);
376 if (pwd_reason != NULL ) {
377 krb5_warnx (context,
378 "%s didn't pass password quality check with error: %s",
379 client, pwd_reason);
380 reply_priv (auth_context, s, sa, sa_size,
381 KRB5_KPASSWD_SOFTERROR, pwd_reason);
382 goto out;
383 }
384 krb5_warnx (context, "Changing password for %s", client);
385 } else {
386 ret = _kadm5_acl_check_permission(kadm5_handle, KADM5_PRIV_CPW,
387 principal);
388 if (ret) {
389 krb5_warn (context, ret,
390 "Check ACL failed for %s for changing %s password",
391 admin, client);
392 reply_priv (auth_context, s, sa, sa_size,
393 KRB5_KPASSWD_HARDERROR, "permission denied");
394 goto out;
395 }
396 krb5_warnx (context, "%s is changing password for %s", admin, client);
397 }
398
399 ret = krb5_data_realloc(pwd_data, pwd_data->length + 1);
400 if (ret) {
401 krb5_warn (context, ret, "malloc: out of memory");
402 reply_priv (auth_context, s, sa, sa_size, KRB5_KPASSWD_HARDERROR,
403 "Internal error");
404 goto out;
405 }
406 tmp = pwd_data->data;
407 tmp[pwd_data->length - 1] = '\0';
408
409 ret = kadm5_s_chpass_principal_cond (kadm5_handle, principal, tmp);
410 krb5_free_data (context, pwd_data);
411 pwd_data = NULL;
412 if (ret) {
413 const char *str = krb5_get_error_message(context, ret);
414 krb5_warnx(context, "kadm5_s_chpass_principal_cond: %s", str);
415 reply_priv (auth_context, s, sa, sa_size, KRB5_KPASSWD_SOFTERROR,
416 str ? str : "Internal error");
417 krb5_free_error_message(context, str);
418 goto out;
419 }
420 reply_priv (auth_context, s, sa, sa_size, KRB5_KPASSWD_SUCCESS,
421 "Password changed");
422 out:
423 free_ChangePasswdDataMS(&chpw);
424 if (principal != admin_principal)
425 krb5_free_principal(context, principal);
426 if (admin)
427 free(admin);
428 if (client)
429 free(client);
430 if (pwd_data)
431 krb5_free_data(context, pwd_data);
432 if (kadm5_handle)
433 kadm5_destroy (kadm5_handle);
434 }
435
436 static int
437 verify (krb5_auth_context *auth_context,
438 krb5_realm *realms,
439 krb5_keytab keytab,
440 krb5_ticket **ticket,
441 krb5_data *out_data,
442 uint16_t *version,
443 int s,
444 struct sockaddr *sa,
445 int sa_size,
446 u_char *msg,
447 size_t len,
448 krb5_address *client_addr)
449 {
450 krb5_error_code ret;
451 uint16_t pkt_len, pkt_ver, ap_req_len;
452 krb5_data ap_req_data;
453 krb5_data krb_priv_data;
454 krb5_realm *r;
455
456 /*
457 * Only send an error reply if the request passes basic length
458 * verification. Otherwise, kpasswdd would reply to every UDP packet,
459 * allowing an attacker to set up a ping-pong DoS attack via a spoofed UDP
460 * packet with a source address of another UDP service that also replies
461 * to every packet.
462 *
463 * Also suppress the error reply if ap_req_len is 0, which indicates
464 * either an invalid request or an error packet. An error packet may be
465 * the result of a ping-pong attacker pointing us at another kpasswdd.
466 */
467 pkt_len = (msg[0] << 8) | (msg[1]);
468 pkt_ver = (msg[2] << 8) | (msg[3]);
469 ap_req_len = (msg[4] << 8) | (msg[5]);
470 if (pkt_len != len) {
471 krb5_warnx (context, "Strange len: %ld != %ld",
472 (long)pkt_len, (long)len);
473 return 1;
474 }
475 if (ap_req_len == 0) {
476 krb5_warnx (context, "Request is error packet (ap_req_len == 0)");
477 return 1;
478 }
479 if (pkt_ver != KRB5_KPASSWD_VERS_CHANGEPW &&
480 pkt_ver != KRB5_KPASSWD_VERS_SETPW) {
481 krb5_warnx (context, "Bad version (%d)", pkt_ver);
482 reply_error (NULL, s, sa, sa_size, 0, 1, "Wrong program version");
483 return 1;
484 }
485 *version = pkt_ver;
486
487 ap_req_data.data = msg + 6;
488 ap_req_data.length = ap_req_len;
489
490 ret = krb5_rd_req (context,
491 auth_context,
492 &ap_req_data,
493 NULL,
494 keytab,
495 NULL,
496 ticket);
497 if (ret) {
498 krb5_warn (context, ret, "krb5_rd_req");
499 reply_error (NULL, s, sa, sa_size, ret, 3, "Authentication failed");
500 return 1;
501 }
502
503 /* verify realm and principal */
504 for (r = realms; *r != NULL; r++) {
505 krb5_principal principal;
506 krb5_boolean same;
507
508 ret = krb5_make_principal (context,
509 &principal,
510 *r,
511 "kadmin",
512 "changepw",
513 NULL);
514 if (ret)
515 krb5_err (context, 1, ret, "krb5_make_principal");
516
517 same = krb5_principal_compare(context, principal, (*ticket)->server);
518 krb5_free_principal(context, principal);
519 if (same == TRUE)
520 break;
521 }
522 if (*r == NULL) {
523 char *str;
524 krb5_unparse_name(context, (*ticket)->server, &str);
525 krb5_warnx (context, "client used not valid principal %s", str);
526 free(str);
527 reply_error (NULL, s, sa, sa_size, ret, 1,
528 "Bad request");
529 goto out;
530 }
531
532 if (strcmp((*ticket)->server->realm, (*ticket)->client->realm) != 0) {
533 krb5_warnx (context, "server realm (%s) not same a client realm (%s)",
534 (*ticket)->server->realm, (*ticket)->client->realm);
535 reply_error ((*ticket)->server->realm, s, sa, sa_size, ret, 1,
536 "Bad request");
537 goto out;
538 }
539
540 if (!(*ticket)->ticket.flags.initial) {
541 krb5_warnx (context, "initial flag not set");
542 reply_error ((*ticket)->server->realm, s, sa, sa_size, ret, 1,
543 "Bad request");
544 goto out;
545 }
546 krb_priv_data.data = msg + 6 + ap_req_len;
547 krb_priv_data.length = len - 6 - ap_req_len;
548
549 /*
550 * Only enforce client addresses on on tickets with addresses. If
551 * its addressless, we are guessing its behind NAT and really
552 * can't know this information.
553 */
554
555 if ((*ticket)->ticket.caddr && (*ticket)->ticket.caddr->len > 0) {
556 ret = krb5_auth_con_setaddrs (context, *auth_context,
557 NULL, client_addr);
558 if (ret) {
559 krb5_warn (context, ret, "krb5_auth_con_setaddr(this)");
560 goto out;
561 }
562 }
563
564 ret = krb5_rd_priv (context,
565 *auth_context,
566 &krb_priv_data,
567 out_data,
568 NULL);
569
570 if (ret) {
571 krb5_warn (context, ret, "krb5_rd_priv");
572 reply_error ((*ticket)->server->realm, s, sa, sa_size, ret, 3,
573 "Bad request");
574 goto out;
575 }
576 return 0;
577 out:
578 krb5_free_ticket (context, *ticket);
579 ticket = NULL;
580 return 1;
581 }
582
583 static void
584 process (krb5_realm *realms,
585 krb5_keytab keytab,
586 int s,
587 krb5_address *this_addr,
588 struct sockaddr *sa,
589 int sa_size,
590 u_char *msg,
591 int len)
592 {
593 krb5_error_code ret;
594 krb5_auth_context auth_context = NULL;
595 krb5_data out_data;
596 krb5_ticket *ticket;
597 krb5_address other_addr;
598 uint16_t version;
599
600 memset(&other_addr, 0, sizeof(other_addr));
601 krb5_data_zero (&out_data);
602
603 ret = krb5_auth_con_init (context, &auth_context);
604 if (ret) {
605 krb5_warn (context, ret, "krb5_auth_con_init");
606 return;
607 }
608
609 krb5_auth_con_setflags (context, auth_context,
610 KRB5_AUTH_CONTEXT_DO_SEQUENCE);
611
612 ret = krb5_sockaddr2address (context, sa, &other_addr);
613 if (ret) {
614 krb5_warn (context, ret, "krb5_sockaddr2address");
615 goto out;
616 }
617
618 ret = krb5_auth_con_setaddrs (context, auth_context, this_addr, NULL);
619 if (ret) {
620 krb5_warn (context, ret, "krb5_auth_con_setaddr(this)");
621 goto out;
622 }
623
624 if (verify (&auth_context, realms, keytab, &ticket, &out_data,
625 &version, s, sa, sa_size, msg, len, &other_addr) == 0)
626 {
627 /*
628 * We always set the client_addr, to assume that the client
629 * can ignore it if it choose to do so (just the server does
630 * so for addressless tickets).
631 */
632 ret = krb5_auth_con_setaddrs (context, auth_context,
633 this_addr, &other_addr);
634 if (ret) {
635 krb5_warn (context, ret, "krb5_auth_con_setaddr(other)");
636 goto out;
637 }
638
639 change (auth_context,
640 ticket->client,
641 version,
642 s,
643 sa, sa_size,
644 &out_data);
645 memset (out_data.data, 0, out_data.length);
646 krb5_free_ticket (context, ticket);
647 }
648
649 out:
650 krb5_free_address(context, &other_addr);
651 krb5_data_free(&out_data);
652 krb5_auth_con_free(context, auth_context);
653 }
654
655 static int
656 doit (krb5_keytab keytab, int port)
657 {
658 krb5_error_code ret;
659 int *sockets;
660 int maxfd;
661 krb5_realm *realms;
662 krb5_addresses addrs;
663 unsigned n, i;
664 fd_set real_fdset;
665 struct sockaddr_storage __ss;
666 struct sockaddr *sa = (struct sockaddr *)&__ss;
667
668 ret = krb5_get_default_realms(context, &realms);
669 if (ret)
670 krb5_err (context, 1, ret, "krb5_get_default_realms");
671
672 if (explicit_addresses.len) {
673 addrs = explicit_addresses;
674 } else {
675 ret = krb5_get_all_server_addrs (context, &addrs);
676 if (ret)
677 krb5_err (context, 1, ret, "krb5_get_all_server_addrs");
678 }
679 n = addrs.len;
680
681 sockets = malloc (n * sizeof(*sockets));
682 if (sockets == NULL)
683 krb5_errx (context, 1, "out of memory");
684 maxfd = -1;
685 FD_ZERO(&real_fdset);
686 for (i = 0; i < n; ++i) {
687 krb5_socklen_t sa_size = sizeof(__ss);
688
689 krb5_addr2sockaddr (context, &addrs.val[i], sa, &sa_size, port);
690
691 sockets[i] = socket (sa->sa_family, SOCK_DGRAM, 0);
692 if (sockets[i] < 0)
693 krb5_err (context, 1, errno, "socket");
694 if (bind (sockets[i], sa, sa_size) < 0) {
695 char str[128];
696 size_t len;
697 int save_errno = errno;
698
699 ret = krb5_print_address (&addrs.val[i], str, sizeof(str), &len);
700 if (ret)
701 strlcpy(str, "unknown address", sizeof(str));
702 krb5_warn (context, save_errno, "bind(%s)", str);
703 continue;
704 }
705 maxfd = max (maxfd, sockets[i]);
706 if (maxfd >= FD_SETSIZE)
707 krb5_errx (context, 1, "fd too large");
708 FD_SET(sockets[i], &real_fdset);
709 }
710 if (maxfd == -1)
711 krb5_errx (context, 1, "No sockets!");
712
713 while(exit_flag == 0) {
714 krb5_ssize_t retx;
715 fd_set fdset = real_fdset;
716
717 retx = select (maxfd + 1, &fdset, NULL, NULL, NULL);
718 if (retx < 0) {
719 if (errno == EINTR)
720 continue;
721 else
722 krb5_err (context, 1, errno, "select");
723 }
724 for (i = 0; i < n; ++i)
725 if (FD_ISSET(sockets[i], &fdset)) {
726 u_char buf[BUFSIZ];
727 socklen_t addrlen = sizeof(__ss);
728
729 retx = recvfrom(sockets[i], buf, sizeof(buf), 0,
730 sa, &addrlen);
731 if (retx < 0) {
732 if(errno == EINTR)
733 break;
734 else
735 krb5_err (context, 1, errno, "recvfrom");
736 }
737
738 process (realms, keytab, sockets[i],
739 &addrs.val[i],
740 sa, addrlen,
741 buf, retx);
742 }
743 }
744
745 for (i = 0; i < n; ++i)
746 close(sockets[i]);
747 free(sockets);
748
749 krb5_free_addresses (context, &addrs);
750 krb5_free_host_realm (context, realms);
751 krb5_free_context (context);
752 return 0;
753 }
754
755 static RETSIGTYPE
756 sigterm(int sig)
757 {
758 exit_flag = 1;
759 }
760
761 static const char *check_library = NULL;
762 static const char *check_function = NULL;
763 static getarg_strings policy_libraries = { 0, NULL };
764 static char sHDB[] = "HDB:";
765 static char *keytab_str = sHDB;
766 static char *realm_str;
767 static int version_flag;
768 static int help_flag;
769 static char *port_str;
770 static char *config_file;
771
772 struct getargs args[] = {
773 #ifdef HAVE_DLOPEN
774 { "check-library", 0, arg_string, &check_library,
775 "library to load password check function from", "library" },
776 { "check-function", 0, arg_string, &check_function,
777 "password check function to load", "function" },
778 { "policy-libraries", 0, arg_strings, &policy_libraries,
779 "password check function to load", "function" },
780 #endif
781 { "addresses", 0, arg_strings, &addresses_str,
782 "addresses to listen on", "list of addresses" },
783 { "keytab", 'k', arg_string, &keytab_str,
784 "keytab to get authentication key from", "kspec" },
785 { "config-file", 'c', arg_string, &config_file, NULL, NULL },
786 { "realm", 'r', arg_string, &realm_str, "default realm", "realm" },
787 { "port", 'p', arg_string, &port_str, "port", NULL },
788 { "version", 0, arg_flag, &version_flag, NULL, NULL },
789 { "help", 0, arg_flag, &help_flag, NULL, NULL }
790 };
791 int num_args = sizeof(args) / sizeof(args[0]);
792
793 int
794 main (int argc, char **argv)
795 {
796 krb5_keytab keytab;
797 krb5_error_code ret;
798 char **files;
799 int port, i;
800
801 krb5_program_setup(&context, argc, argv, args, num_args, NULL);
802
803 if(help_flag)
804 krb5_std_usage(0, args, num_args);
805 if(version_flag) {
806 print_version(NULL);
807 exit(0);
808 }
809
810 if (config_file == NULL) {
811 asprintf(&config_file, "%s/kdc.conf", hdb_db_dir(context));
812 if (config_file == NULL)
813 errx(1, "out of memory");
814 }
815
816 ret = krb5_prepend_config_files_default(config_file, &files);
817 if (ret)
818 krb5_err(context, 1, ret, "getting configuration files");
819
820 ret = krb5_set_config_files(context, files);
821 krb5_free_config_files(files);
822 if (ret)
823 krb5_err(context, 1, ret, "reading configuration files");
824
825 if(realm_str)
826 krb5_set_default_realm(context, realm_str);
827
828 krb5_openlog (context, "kpasswdd", &log_facility);
829 krb5_set_warn_dest(context, log_facility);
830
831 if (port_str != NULL) {
832 struct servent *s = roken_getservbyname (port_str, "udp");
833
834 if (s != NULL)
835 port = s->s_port;
836 else {
837 char *ptr;
838
839 port = strtol (port_str, &ptr, 10);
840 if (port == 0 && ptr == port_str)
841 krb5_errx (context, 1, "bad port `%s'", port_str);
842 port = htons(port);
843 }
844 } else
845 port = krb5_getportbyname (context, "kpasswd", "udp", KPASSWD_PORT);
846
847 ret = krb5_kt_register(context, &hdb_kt_ops);
848 if(ret)
849 krb5_err(context, 1, ret, "krb5_kt_register");
850
851 ret = krb5_kt_resolve(context, keytab_str, &keytab);
852 if(ret)
853 krb5_err(context, 1, ret, "%s", keytab_str);
854
855 kadm5_setup_passwd_quality_check (context, check_library, check_function);
856
857 for (i = 0; i < policy_libraries.num_strings; i++) {
858 ret = kadm5_add_passwd_quality_verifier(context,
859 policy_libraries.strings[i]);
860 if (ret)
861 krb5_err(context, 1, ret, "kadm5_add_passwd_quality_verifier");
862 }
863 ret = kadm5_add_passwd_quality_verifier(context, NULL);
864 if (ret)
865 krb5_err(context, 1, ret, "kadm5_add_passwd_quality_verifier");
866
867
868 explicit_addresses.len = 0;
869
870 if (addresses_str.num_strings) {
871 int j;
872
873 for (j = 0; j < addresses_str.num_strings; ++j)
874 add_one_address (addresses_str.strings[j], j == 0);
875 free_getarg_strings (&addresses_str);
876 } else {
877 char **foo = krb5_config_get_strings (context, NULL,
878 "kdc", "addresses", NULL);
879
880 if (foo != NULL) {
881 add_one_address (*foo++, TRUE);
882 while (*foo)
883 add_one_address (*foo++, FALSE);
884 }
885 }
886
887 #ifdef HAVE_SIGACTION
888 {
889 struct sigaction sa;
890
891 sa.sa_flags = 0;
892 sa.sa_handler = sigterm;
893 sigemptyset(&sa.sa_mask);
894
895 sigaction(SIGINT, &sa, NULL);
896 sigaction(SIGTERM, &sa, NULL);
897 }
898 #else
899 signal(SIGINT, sigterm);
900 signal(SIGTERM, sigterm);
901 #endif
902
903 pidfile(NULL);
904
905 return doit (keytab, port);
906 }
Heimdal