From 0f55ce5d77d5e0618ff3ab395f47b031c2880bde Mon Sep 17 00:00:00 2001 From: Antoine Jacoutot Date: Fri, 18 Sep 2015 10:42:23 +0200 Subject: [PATCH] Initial import. --- Makefile | 5 + Makefile.inc | 11 +++ login_krb5-or-pwd/Makefile | 15 +++ login_krb5-or-pwd/login_krb5-or-pwd.8 | 82 ++++++++++++++++ login_krb5/Makefile | 15 +++ login_krb5/login_krb5.8 | 112 ++++++++++++++++++++++ login_krb5/login_krb5.c | 170 ++++++++++++++++++++++++++++++++++ login_passwd/common.h | 65 +++++++++++++ login_passwd/login.c | 168 +++++++++++++++++++++++++++++++++ login_passwd/login_passwd.8 | 88 ++++++++++++++++++ login_passwd/login_passwd.c | 68 ++++++++++++++ login_passwd/pwd_gensalt.c | 92 ++++++++++++++++++ test | 0 13 files changed, 891 insertions(+) create mode 100644 Makefile create mode 100644 Makefile.inc create mode 100644 login_krb5-or-pwd/Makefile create mode 100644 login_krb5-or-pwd/login_krb5-or-pwd.8 create mode 100644 login_krb5/Makefile create mode 100644 login_krb5/login_krb5.8 create mode 100644 login_krb5/login_krb5.c create mode 100644 login_passwd/common.h create mode 100644 login_passwd/login.c create mode 100644 login_passwd/login_passwd.8 create mode 100644 login_passwd/login_passwd.c create mode 100644 login_passwd/pwd_gensalt.c delete mode 100644 test diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..57ad029 --- /dev/null +++ b/Makefile @@ -0,0 +1,5 @@ +.include + +SUBDIR= login_krb5 login_krb5-or-pwd + +.include diff --git a/Makefile.inc b/Makefile.inc new file mode 100644 index 0000000..f799cc6 --- /dev/null +++ b/Makefile.inc @@ -0,0 +1,11 @@ +CPPFLAGS+= -Wall +LDADD+= -lutil + +BINOWN= root +BINGRP= auth +BINMODE= 4555 +BINDIR= $(LOCALBASE)/libexec/auth + +beforeinstall: + ${INSTALL} -d -o ${BINOWN} -g ${BINGRP} -m ${DIRMODE} \ + ${DESTDIR}${BINDIR} diff --git a/login_krb5-or-pwd/Makefile b/login_krb5-or-pwd/Makefile new file mode 100644 index 0000000..37f3510 --- /dev/null +++ b/login_krb5-or-pwd/Makefile @@ -0,0 +1,15 @@ +.include + +PROG= login_krb5-or-pwd +SRCS= login.c login_passwd.c pwd_gensalt.c login_krb5.c +MAN= ${PROG}.8 + +CPPFLAGS+= -DPASSWD -DKRB5 +CPPFLAGS+= -I${.CURDIR}/../login_passwd +CPPFLAGS+= $$(/usr/local/heimdal/bin/krb5-config --cflags) -I/usr/local/include + +LDADD+= $$(/usr/local/heimdal/bin/krb5-config --libs) -L/usr/local/lib + +.PATH: ${.CURDIR}/../login_passwd ${.CURDIR}/../login_krb5 + +.include diff --git a/login_krb5-or-pwd/login_krb5-or-pwd.8 b/login_krb5-or-pwd/login_krb5-or-pwd.8 new file mode 100644 index 0000000..5a7af7a --- /dev/null +++ b/login_krb5-or-pwd/login_krb5-or-pwd.8 @@ -0,0 +1,82 @@ +.\" $OpenBSD: login_krb5-or-pwd.8,v 1.15 2007/05/31 19:19:40 jmc Exp $ +.\" +.\" Copyright (c) 2000 Todd C. Miller +.\" +.\" Permission to use, copy, modify, and distribute this software for any +.\" purpose with or without fee is hereby granted, provided that the above +.\" copyright notice and this permission notice appear in all copies. +.\" +.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +.\" +.Dd $Mdocdate: May 31 2007 $ +.Dt LOGIN_KRB5-OR-PWD 8 +.Os +.Sh NAME +.Nm login_krb5-or-pwd +.Nd provide KerberosV or password authentication type +.Sh SYNOPSIS +.Nm login_krb5-or-pwd +.Op Fl s Ar service +.Op Fl v Ar arguments +.Ar user +.Op Ar class +.Sh DESCRIPTION +The +.Nm +program first attempts to authenticate the user via KerberosV and, +failing that, falls back to standard password authentication. +.Pp +If KerberosV is not configured on the system, +.Nm +is equivalent to calling +.Xr login_passwd 8 . +When root tries to login, +.Nm +skips KerberosV authentication, as this may give problems in case of a +network failure. +.Pp +The +.Ar user +argument is the user's name to be authenticated. +.Pp +The +.Ar service +argument specifies which protocol to use with the +invoking program. +The allowed protocols are +.Em login , +.Em challenge , +and +.Em response . +(The +.Em challenge +protocol is silently ignored but will report success as KerberosV +authentication is not challenge-response based). +.Pp +The arguments following +.Fl v +are the same as for +.Xr login_krb5 8 +and +.Xr login_passwd 8 . +Unknown arguments are ignored. +.Pp +.Nm +will prompt the user for a password and report back to the +invoking program whether or not the authentication was +successful. +.Sh SEE ALSO +.Xr login 1 , +.Xr passwd 1 , +.Xr su 1 , +.Xr login.conf 5 , +.Xr ftpd 8 , +.Xr kerberos 8 , +.Xr login_krb5 8 , +.Xr login_passwd 8 diff --git a/login_krb5/Makefile b/login_krb5/Makefile new file mode 100644 index 0000000..0d29e0d --- /dev/null +++ b/login_krb5/Makefile @@ -0,0 +1,15 @@ +.include + +PROG= login_krb5 +SRCS= login.c login_krb5.c +MAN= ${PROG}.8 + +CPPFLAGS+= -DKRB5 +CPPFLAGS+= -I${.CURDIR}/../login_passwd +CPPFLAGS+= $$(/usr/local/heimdal/bin/krb5-config --cflags) -I/usr/local/include + +LDADD+= $$(/usr/local/heimdal/bin/krb5-config --libs) -L/usr/local/lib + +.PATH: ${.CURDIR}/../login_passwd + +.include diff --git a/login_krb5/login_krb5.8 b/login_krb5/login_krb5.8 new file mode 100644 index 0000000..6c4a6a1 --- /dev/null +++ b/login_krb5/login_krb5.8 @@ -0,0 +1,112 @@ +.\" $OpenBSD: login_krb5.8,v 1.18 2012/06/01 01:43:19 dlg Exp $ +.\" +.\" Copyright (c) 2000 Todd C. Miller +.\" +.\" Permission to use, copy, modify, and distribute this software for any +.\" purpose with or without fee is hereby granted, provided that the above +.\" copyright notice and this permission notice appear in all copies. +.\" +.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +.\" +.Dd $Mdocdate: June 1 2012 $ +.Dt LOGIN_KRB5 8 +.Os +.Sh NAME +.Nm login_krb5 +.Nd provide KerberosV authentication type +.Sh SYNOPSIS +.Nm login_krb5 +.Bk -words +.Op Fl s Ar service +.Op Fl v Ar login Ns = Ns Li yes Ns | Ns Li no +.Op Fl v Ar notickets Ns = Ns Li yes Ns | Ns Li no +.Op Fl v Ar invokinguser Ns = Ns Ar user +.Ar user +.Op Ar class +.Ek +.Sh DESCRIPTION +The +.Nm +utility implements the KerberosV authentication mechanism. +It is called by +.Xr login 1 , +.Xr su 1 , +.Xr ftpd 8 , +and others to authenticate the +.Ar user +with KerberosV. +.Pp +The +.Ar user +argument is the user's name to be authenticated. +.Pp +The +.Ar service +argument specifies which protocol to use with the +invoking program. +The allowed protocols are +.Em login , +.Em challenge , +and +.Em response . +(The +.Em challenge +protocol is silently ignored but will report success as KerberosV +authentication is not challenge-response based). +.Pp +If +.Ar invokinguser +is set and the +.Ar user +argument is root, the principal +invokinguser/root will be used for authentication. +.Pp +If the +.Ar notickets +argument is equal to +.Dq no , +the default value, and the +.Ar login +argument is equal to +.Dq yes , +then the ticket will be saved in a credentials cache. +.Pp +The +.Ar class +argument is ignored for compatibility with other login scripts. +.Pp +.Nm +will prompt the user for a password and report back to the +invoking program whether or not the authentication was +successful. +.Sh LOGIN.CONF VARIABLES +The +.Nm +utility uses the following krb5-specific +.Pa /etc/login.conf +variables: +.Bl -column "krb5-noverify" "bool" "Description" +.It Sy Name Ta Sy Type Ta Sy Description +.It krb5-noverify Ta bool Ta +Failure to verify credentials against a local key is not considered a fatal +error. +.El +.Sh FILES +.Bl -tag -compact -width xetcxloginxconfxx +.It Pa /etc/login.conf +login configuration database +.El +.Sh SEE ALSO +.Xr login 1 , +.Xr passwd 1 , +.Xr su 1 , +.Xr login.conf 5 , +.Xr ftpd 8 , +.Xr kerberos 8 , +.Xr login_krb5-or-pwd 8 diff --git a/login_krb5/login_krb5.c b/login_krb5/login_krb5.c new file mode 100644 index 0000000..81e420a --- /dev/null +++ b/login_krb5/login_krb5.c @@ -0,0 +1,170 @@ +/* $OpenBSD: login_krb5.c,v 1.27 2013/06/21 13:35:26 ajacoutot Exp $ */ + +/*- + * Copyright (c) 2001, 2002 Hans Insulander . + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "common.h" + +#include + +krb5_error_code ret; +krb5_context context; +krb5_ccache ccache; +krb5_principal princ; + +char *__progname; + +static void +krb5_syslog(krb5_context context, int level, krb5_error_code code, char *fmt, ...) +{ + va_list ap; + char buf[256]; + const char *s = krb5_get_error_message(context, code); + + va_start(ap, fmt); + vsnprintf(buf, sizeof(buf), fmt, ap); + va_end(ap); + syslog(level, "%s: %s", buf, s); + krb5_free_error_message(context, s); +} + +static void +store_tickets(struct passwd *pwd, int ticket_newfiles, int ticket_store, + int token_install) +{ + char cc_file[PATH_MAX]; + krb5_ccache ccache_store; + + if (ticket_newfiles) + snprintf(cc_file, sizeof(cc_file), "FILE:/tmp/krb5cc_%d", + pwd->pw_uid); + else + snprintf(cc_file, sizeof(cc_file), "%s", + krb5_cc_default_name(context)); + + if (ticket_store) { + ret = krb5_cc_resolve(context, cc_file, &ccache_store); + if (ret != 0) { + krb5_syslog(context, LOG_ERR, ret, + "krb5_cc_resolve"); + exit(1); + } + + ret = krb5_cc_copy_cache(context, ccache, ccache_store); + if (ret != 0) + krb5_syslog(context, LOG_ERR, ret, + "krb5_cc_copy_cache"); + + chown(krb5_cc_get_name(context, ccache_store), + pwd->pw_uid, pwd->pw_gid); + + fprintf(back, BI_SETENV " KRB5CCNAME %s:%s\n", + krb5_cc_get_type(context, ccache_store), + krb5_cc_get_name(context, ccache_store)); + } +} + +int +krb5_login(char *username, char *invokinguser, char *password, int login, + int tickets, char *class) +{ + login_cap_t *lc; + int return_code = AUTH_FAILED; + int noverify = 0; + + if (username == NULL || password == NULL) + return (AUTH_FAILED); + + if (strcmp(__progname, "krb5-or-pwd") == 0 && + strcmp(username,"root") == 0 && invokinguser[0] == '\0') + return (AUTH_FAILED); + + lc = login_getclass(class); + if (lc != NULL) + noverify = login_getcapbool(lc, "krb5-noverify", noverify); + + ret = krb5_init_context(&context); + if (ret != 0) { + krb5_syslog(context, LOG_ERR, ret, "krb5_init_context"); + exit(1); + } + + ret = krb5_cc_new_unique(context, krb5_mcc_ops.prefix, NULL, &ccache); + if (ret != 0) { + krb5_syslog(context, LOG_ERR, ret, "krb5_cc_new_unique"); + exit(1); + } + + if (strcmp(username, "root") == 0 && invokinguser[0] != '\0') { + char *tmp; + + ret = asprintf(&tmp, "%s/root", invokinguser); + if (ret == -1) { + krb5_syslog(context, LOG_ERR, ret, "asprintf"); + exit(1); + } + ret = krb5_parse_name(context, tmp, &princ); + free(tmp); + } else + ret = krb5_parse_name(context, username, &princ); + if (ret != 0) { + krb5_syslog(context, LOG_ERR, ret, "krb5_parse_name"); + exit(1); + } + + ret = krb5_verify_user_lrealm(context, princ, ccache, + password, !noverify, NULL); + + switch (ret) { + case 0: { + struct passwd *pwd; + + pwd = getpwnam(username); + if (pwd == NULL) { + krb5_syslog(context, LOG_ERR, ret, + "%s: no such user", username); + return (AUTH_FAILED); + } + fprintf(back, BI_AUTH "\n"); + store_tickets(pwd, login && tickets, login && tickets, login); + return_code = AUTH_OK; + break; + } + case KRB5KRB_AP_ERR_MODIFIED: + /* XXX syslog here? */ + case KRB5KRB_AP_ERR_BAD_INTEGRITY: + break; + default: + krb5_syslog(context, LOG_ERR, ret, "verify"); + break; + } + + krb5_free_principal(context, princ); + krb5_cc_close(context, ccache); + krb5_free_context(context); + + return (return_code); +} diff --git a/login_passwd/common.h b/login_passwd/common.h new file mode 100644 index 0000000..bd2e0ff --- /dev/null +++ b/login_passwd/common.h @@ -0,0 +1,65 @@ +/* $OpenBSD: common.h,v 1.4 2012/06/01 01:43:19 dlg Exp $ */ +/*- + * Copyright (c) 2001 Hans Insulander . + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#ifndef _COMMON_H_ +#define _COMMON_H_ + +#include +#include + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + + +#define MODE_LOGIN 0 +#define MODE_CHALLENGE 1 +#define MODE_RESPONSE 2 + +#define AUTH_OK 0 +#define AUTH_FAILED -1 + +extern FILE *back; + +#ifdef PASSWD +int pwd_login(char *, char *, char *, int, char *); +int pwd_gensalt(char *, int, login_cap_t *, char); +#endif +#ifdef KRB5 +int krb5_login(char *, char *, char *, int, int, char *); +#endif + +#endif /* !_COMMON_H_ */ diff --git a/login_passwd/login.c b/login_passwd/login.c new file mode 100644 index 0000000..29a9fc9 --- /dev/null +++ b/login_passwd/login.c @@ -0,0 +1,168 @@ +/* $OpenBSD: login.c,v 1.10 2012/06/01 01:43:19 dlg Exp $ */ + +/*- + * Copyright (c) 1995 Berkeley Software Design, Inc. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by Berkeley Software Design, + * Inc. + * 4. The name of Berkeley Software Design, Inc. may not be used to endorse + * or promote products derived from this software without specific prior + * written permission. + * + * THIS SOFTWARE IS PROVIDED BY BERKELEY SOFTWARE DESIGN, INC. ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL BERKELEY SOFTWARE DESIGN, INC. BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * BSDI $From: login_passwd.c,v 1.11 1997/08/08 18:58:24 prb Exp $ + */ + +#include "common.h" + +FILE *back = NULL; + +int +main(int argc, char **argv) +{ + int opt, mode = 0, ret, lastchance = 0; + char *username, *password = NULL; + char response[1024]; + int arg_login = 0, arg_notickets = 0; + char invokinguser[LOGIN_NAME_MAX]; + char *wheel = NULL, *class = NULL; + + invokinguser[0] = '\0'; + + setpriority(PRIO_PROCESS, 0, 0); + + openlog(NULL, LOG_ODELAY, LOG_AUTH); + + while ((opt = getopt(argc, argv, "ds:v:")) != -1) { + switch (opt) { + case 'd': + back = stdout; + break; + case 's': /* service */ + if (strcmp(optarg, "login") == 0) + mode = MODE_LOGIN; + else if (strcmp(optarg, "challenge") == 0) + mode = MODE_CHALLENGE; + else if (strcmp(optarg, "response") == 0) + mode = MODE_RESPONSE; + else { + syslog(LOG_ERR, "%s: invalid service", optarg); + exit(1); + } + break; + case 'v': + if (strncmp(optarg, "wheel=", 6) == 0) + wheel = optarg + 6; + else if (strncmp(optarg, "lastchance=", 11) == 0) + lastchance = (strcmp(optarg + 11, "yes") == 0); + else if (strcmp(optarg, "login=yes") == 0) + arg_login = 1; + else if (strcmp(optarg, "notickets=yes") == 0) + arg_notickets = 1; + else if (strncmp(optarg, "invokinguser=", 13) == 0) + snprintf(invokinguser, sizeof(invokinguser), + "%s", &optarg[13]); + /* Silently ignore unsupported variables */ + break; + default: + syslog(LOG_ERR, "usage error1"); + exit(1); + } + } + + switch (argc - optind) { + case 2: + class = argv[optind + 1]; + /*FALLTHROUGH*/ + case 1: + username = argv[optind]; + break; + default: + syslog(LOG_ERR, "usage error2"); + exit(1); + } + + if (back == NULL && (back = fdopen(3, "r+")) == NULL) { + syslog(LOG_ERR, "reopening back channel: %m"); + exit(1); + } + + /* + * Read password, either as from the terminal or if the + * response mode is active from the caller program. + * + * XXX This is completely ungrokkable, and should be rewritten. + */ + switch (mode) { + case MODE_RESPONSE: { + int count; + mode = 0; + count = -1; + while (++count < sizeof(response) && + read(3, &response[count], (size_t)1) == (ssize_t)1) { + if (response[count] == '\0' && ++mode == 2) + break; + if (response[count] == '\0' && mode == 1) { + password = response + count + 1; + } + } + if (mode < 2) { + syslog(LOG_ERR, "protocol error on back channel"); + exit(1); + } + break; + } + + case MODE_LOGIN: + password = getpass("Password:"); + break; + case MODE_CHALLENGE: + fprintf(back, BI_AUTH "\n"); + exit(0); + break; + default: + syslog(LOG_ERR, "%d: unknown mode", mode); + exit(1); + break; + } + + ret = AUTH_FAILED; +#ifdef KRB5 + ret = krb5_login(username, invokinguser, password, arg_login, + !arg_notickets, class); +#endif +#ifdef PASSWD + if (ret != AUTH_OK) + ret = pwd_login(username, password, wheel, lastchance, class); +#endif + + if (password != NULL) + memset(password, 0, strlen(password)); + if (ret != AUTH_OK) + fprintf(back, BI_REJECT "\n"); + + closelog(); + + exit(0); +} diff --git a/login_passwd/login_passwd.8 b/login_passwd/login_passwd.8 new file mode 100644 index 0000000..04b1763 --- /dev/null +++ b/login_passwd/login_passwd.8 @@ -0,0 +1,88 @@ +.\" $OpenBSD: login_passwd.8,v 1.9 2012/02/01 17:32:59 sobrado Exp $ +.\" +.\" Copyright (c) 2000 Todd C. Miller +.\" +.\" Permission to use, copy, modify, and distribute this software for any +.\" purpose with or without fee is hereby granted, provided that the above +.\" copyright notice and this permission notice appear in all copies. +.\" +.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +.\" +.Dd $Mdocdate: February 1 2012 $ +.Dt LOGIN_PASSWD 8 +.Os +.Sh NAME +.Nm login_passwd +.Nd provide standard password authentication type +.Sh SYNOPSIS +.Nm login_passwd +.Op Fl s Ar service +.Op Fl v Ar wheel Ns = Ns Li yes Ns | Ns Li no +.Op Fl v Ar lastchance Ns = Ns Li yes Ns | Ns Li no +.Ar user +.Op Ar class +.Sh DESCRIPTION +The +.Nm +utility is called by +.Xr login 1 , +.Xr su 1 , +.Xr ftpd 8 , +and others to authenticate the +.Ar user +with passwd-style authentication. +.Pp +The +.Ar user +argument is the login name of the user to be authenticated. +.Pp +The +.Ar service +argument specifies which protocol to use with the +invoking program. +The allowed protocols are +.Em login , +.Em challenge , +and +.Em response . +(The +.Em challenge +protocol is silently ignored but will report success as passwd-style +authentication is not challenge-response based). +.Pp +If the +.Ar wheel +argument is specified and is not set to +.Dq yes , +then the user will be rejected as not being in group +.Dq wheel . +This is used by +.Xr su 1 . +.Pp +If the +.Ar lastchance +argument is specified and is equal to +.Dq yes , +then if the user's password has expired, and it has not been +expired longer than +.Dq password-dead +seconds (see +.Xr login.conf 5 ) , +the user will be able to log in one last time to change the password. +.Pp +.Nm +will prompt the user for a password and report back to the +invoking program whether or not the authentication was +successful. +.Sh SEE ALSO +.Xr login 1 , +.Xr passwd 1 , +.Xr su 1 , +.Xr login.conf 5 , +.Xr ftpd 8 diff --git a/login_passwd/login_passwd.c b/login_passwd/login_passwd.c new file mode 100644 index 0000000..f646d89 --- /dev/null +++ b/login_passwd/login_passwd.c @@ -0,0 +1,68 @@ +/* $OpenBSD: login_passwd.c,v 1.10 2014/09/16 22:07:02 tedu Exp $ */ + +/*- + * Copyright (c) 2001 Hans Insulander . + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include "common.h" + +int +pwd_login(char *username, char *password, char *wheel, int lastchance, + char *class) +{ + struct passwd *pwd; + size_t plen; + char *goodhash = NULL; + int passok = 0; + + if (wheel != NULL && strcmp(wheel, "yes") != 0) { + fprintf(back, BI_VALUE " errormsg %s\n", + auth_mkvalue("you are not in group wheel")); + fprintf(back, BI_REJECT "\n"); + return (AUTH_FAILED); + } + if (password == NULL) + return (AUTH_FAILED); + + pwd = getpwnam(username); + if (pwd) + goodhash = pwd->pw_passwd; + + setpriority(PRIO_PROCESS, 0, -4); + if (crypt_checkpass(password, goodhash) == 0) + passok = 1; + plen = strlen(password); + memset(password, 0, plen); + + if (!passok) + return (AUTH_FAILED); + + if (login_check_expire(back, pwd, class, lastchance) == 0) + fprintf(back, BI_AUTH "\n"); + else + return (AUTH_FAILED); + + return (AUTH_OK); +} diff --git a/login_passwd/pwd_gensalt.c b/login_passwd/pwd_gensalt.c new file mode 100644 index 0000000..b9644ab --- /dev/null +++ b/login_passwd/pwd_gensalt.c @@ -0,0 +1,92 @@ +/* $OpenBSD: pwd_gensalt.c,v 1.29 2014/11/01 17:48:00 tedu Exp $ */ + +/* + * Copyright 1997 Niels Provos + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by Niels Provos. + * 4. The name of the author may not be used to endorse or promote products + * derived from this software without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include +#include +#include +#include +#include +#include +#include +#include +#include + +void to64(char *, u_int32_t, int n); +int pwd_gensalt(char *, int, login_cap_t *, char); + +#define CIPHER_DEF "blowfish,8" + +int +pwd_gensalt(char *salt, int saltlen, login_cap_t *lc, char type) +{ + char *next, *now, *oldnext; + + *salt = '\0'; + + next = login_getcapstr(lc, "localcipher", NULL, NULL); + if (next == NULL && (next = strdup(CIPHER_DEF)) == NULL) { + warn(NULL); + return 0; + } + + oldnext = next; + now = strsep(&next, ","); + if (!strcmp(now, "blowfish")) { + int rounds = 8; + + if (next) + rounds = atoi(next); + if (rounds < 4) + rounds = 4; + if (rounds > 31) + rounds = 31; + strlcpy(salt, bcrypt_gensalt(rounds), saltlen); + } else { + warnx("Unknown option %s.", now); + free(oldnext); + return 0; + } + free(oldnext); + return 1; +} + +static unsigned char itoa64[] = /* 0 ... 63 => ascii - 64 */ + "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"; + +void +to64(char *s, u_int32_t v, int n) +{ + while (--n >= 0) { + *s++ = itoa64[v&0x3f]; + v >>= 6; + } +} diff --git a/test b/test deleted file mode 100644 index e69de29..0000000 -- 2.11.4.GIT