2 * Copyright (c) 1991, 1993
3 * Dave Safford. All rights reserved.
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 * 3. Neither the name of the University nor the names of its contributors
14 * may be used to endorse or promote products derived from this software
15 * without specific prior written permission.
17 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
21 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
26 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
29 * $FreeBSD: src/crypto/telnet/libtelnet/sra.c,v 1.1.2.7 2002/05/16 08:46:49 markm Exp $
34 #include <sys/types.h>
35 #include <arpa/telnet.h>
44 #include <security/pam_appl.h>
54 char pka
[HEXKEYBYTES
+1], ska
[HEXKEYBYTES
+1], pkb
[HEXKEYBYTES
+1];
55 char *user
, *pass
, *xuser
, *xpass
;
59 extern int auth_debug_mode
;
62 static int sra_valid
= 0;
63 static int passwd_sent
= 0;
65 static unsigned char str_data
[1024] = {
66 IAC
, SB
, TELOPT_AUTHENTICATION
, 0, AUTHTYPE_SRA
, };
69 #define XSMALL_LEN 513
73 #define SRA_CONTINUE 2
78 static int check_user(char *, const char *);
80 /* support routine to send out authentication message */
82 Data(Authenticator
*ap
, int type
, void *d
, int c
)
84 unsigned char *p
= str_data
+ 4;
85 unsigned char *cd
= (unsigned char *)d
;
88 c
= strlen((char *)cd
);
90 if (auth_debug_mode
) {
91 printf("%s:%d: [%d] (%d)",
92 str_data
[3] == TELQUAL_IS
? ">>>IS" : ">>>REPLY",
102 if ((*p
++ = *cd
++) == IAC
)
107 if (str_data
[3] == TELQUAL_IS
)
108 printsub('>', &str_data
[2], p
- (&str_data
[2]));
109 return(net_write(str_data
, p
- str_data
));
113 sra_init(Authenticator
*ap __unused
, int server
)
116 str_data
[3] = TELQUAL_REPLY
;
118 str_data
[3] = TELQUAL_IS
;
120 user
= malloc(SMALL_LEN
);
121 xuser
= malloc(XSMALL_LEN
);
122 pass
= malloc(SMALL_LEN
);
123 xpass
= malloc(XSMALL_LEN
);
125 if (user
== NULL
|| xuser
== NULL
|| pass
== NULL
|| xpass
== NULL
)
126 return 0; /* malloc failed */
134 /* client received a go-ahead for sra */
136 sra_send(Authenticator
*ap
)
141 printf("Sent PKA to server.\r\n" );
142 printf("Trying SRA secure login:\r\n");
143 if (!Data(ap
, SRA_KEY
, (void *)pka
, HEXKEYBYTES
)) {
145 printf("Not enough room for authentication data\r\n");
152 /* server received an IS -- could be SRA KEY, USER, or PASS */
154 sra_is(Authenticator
*ap
, unsigned char *data
, int cnt
)
164 if (cnt
< HEXKEYBYTES
) {
165 Data(ap
, SRA_REJECT
, (void *)0, 0);
166 auth_finished(ap
, AUTH_USER
);
168 printf("SRA user rejected for bad PKB\r\n");
172 printf("Sent pka\r\n");
173 if (!Data(ap
, SRA_KEY
, (void *)pka
, HEXKEYBYTES
)) {
175 printf("Not enough room\r\n");
178 memcpy(pkb
, data
, HEXKEYBYTES
);
179 pkb
[HEXKEYBYTES
] = '\0';
180 common_key(ska
, pkb
, &ik
, &ck
);
185 if (cnt
> XSMALL_LEN
- 1) /* Attempted buffer overflow */
187 memcpy(xuser
, data
, cnt
);
189 pk_decode(xuser
, user
, &ck
);
190 auth_encrypt_user(user
);
191 Data(ap
, SRA_CONTINUE
, (void *)0, 0);
195 if (cnt
> XSMALL_LEN
- 1) /* Attempted buffer overflow */
198 memcpy(xpass
, data
, cnt
);
200 pk_decode(xpass
, pass
, &ck
);
202 /* check user's password */
203 valid
= check_user(user
, pass
);
206 Data(ap
, SRA_ACCEPT
, (void *)0, 0);
210 encrypt_session_key(&skey
, 1);
213 auth_finished(ap
, AUTH_VALID
);
215 printf("SRA user accepted\r\n");
217 Data(ap
, SRA_CONTINUE
, (void *)0, 0);
219 Data(ap, SRA_REJECT, (void *)0, 0);
221 auth_finished(ap, AUTH_REJECT);
224 printf("SRA user failed\r\n");
230 printf("Unknown SRA option %d\r\n", data
[-1]);
234 Data(ap
, SRA_REJECT
, 0, 0);
236 auth_finished(ap
, AUTH_REJECT
);
239 /* client received REPLY -- could be SRA KEY, CONTINUE, ACCEPT, or REJECT */
241 sra_reply(Authenticator
*ap
, unsigned char *data
, int cnt
)
243 char uprompt
[SMALL_LEN
], tuser
[SMALL_LEN
];
252 /* calculate common key */
253 if (cnt
< HEXKEYBYTES
) {
255 printf("SRA user rejected for bad PKB\r\n");
258 memcpy(pkb
, data
, HEXKEYBYTES
);
259 pkb
[HEXKEYBYTES
] = '\0';
260 common_key(ska
, pkb
, &ik
, &ck
);
264 memset(tuser
, 0, sizeof(tuser
));
265 sprintf(uprompt
, "User (%s): ", UserNameRequested
);
266 if (telnet_gets(uprompt
, tuser
, SMALL_LEN
-1, 1) == NULL
) {
270 if (tuser
[0] == '\n' || tuser
[0] == '\r' ) {
271 strlcpy(user
, UserNameRequested
, SMALL_LEN
);
273 /* telnet_gets leaves the newline on */
274 for (i
= 0; i
< sizeof(tuser
); i
++) {
275 if (tuser
[i
] == '\n') {
280 strlcpy(user
, tuser
, SMALL_LEN
);
282 pk_encode(user
, xuser
, &ck
);
286 printf("Sent KAB(U)\r\n");
287 if (!Data(ap
, SRA_USER
, xuser
, strlen(xuser
))) {
289 printf("Not enough room\r\n");
297 printf("[ SRA login failed ]\r\n");
300 /* encode password */
301 memset(pass
, 0, SMALL_LEN
);
302 if (telnet_gets("Password: ", pass
, SMALL_LEN
-1, 0) == NULL
) {
306 pk_encode(pass
, xpass
, &ck
);
309 printf("Sent KAB(P)\r\n");
310 if (!Data(ap
, SRA_PASS
, xpass
, strlen(xpass
))) {
312 printf("Not enough room\r\n");
319 printf("[ SRA refuses authentication ]\r\n");
320 printf("Trying plaintext login:\r\n");
321 auth_finished(0, AUTH_REJECT
);
325 printf("[ SRA accepts you ]\r\n");
329 encrypt_session_key(&skey
, 0);
330 auth_finished(ap
, AUTH_VALID
);
335 printf("Unknown SRA option %d\r\n", data
[-1]);
341 sra_status(Authenticator
*ap __unused
, char *name
, int level
)
343 if (level
< AUTH_USER
)
345 if (UserNameRequested
&& sra_valid
) {
346 strcpy(name
, UserNameRequested
);
353 #define BUMP(buf, len) while (*(buf)) { ++(buf), --(len); }
354 #define ADDC(buf, len, c) if ((len) > 0) { *(buf)++ = (c); --(len); }
357 sra_printsub(unsigned char *data
, int cnt
, unsigned char *ubuf
, int buflen
)
359 char lbuf
[32], *buf
= (char *)ubuf
;
362 buf
[buflen
-1] = '\0'; /* make sure its NULL terminated */
367 strncpy(buf
, " CONTINUE ", buflen
);
370 case SRA_REJECT
: /* Rejected (reason might follow) */
371 strncpy(buf
, " REJECT ", buflen
);
374 case SRA_ACCEPT
: /* Accepted (name might follow) */
375 strncpy(buf
, " ACCEPT ", buflen
);
381 ADDC(buf
, buflen
, '"');
382 for (i
= 4; i
< cnt
; i
++)
383 ADDC(buf
, buflen
, data
[i
]);
384 ADDC(buf
, buflen
, '"');
385 ADDC(buf
, buflen
, '\0');
388 case SRA_KEY
: /* Authentication data follows */
389 strncpy(buf
, " KEY ", buflen
);
393 strncpy(buf
, " USER ", buflen
);
397 strncpy(buf
, " PASS ", buflen
);
401 snprintf(lbuf
, sizeof(lbuf
), " %d (unknown)", data
[3]);
402 strncpy(buf
, lbuf
, buflen
);
406 for (i
= 4; i
< cnt
; i
++) {
407 snprintf(lbuf
, sizeof(lbuf
), " %d", data
[i
]);
408 strncpy(buf
, lbuf
, buflen
);
418 isroot(const char *usr
)
420 struct passwd pws
, *pwd
;
423 if (getpwnam_r(usr
, &pws
, pwbuf
, sizeof(pwbuf
), &pwd
) != 0 ||
427 return (!pwd
->pw_uid
);
431 rootterm(const char *ttyn
)
435 return ((t
= getttynam(ttyn
)) && t
->ty_status
& TTY_SECURE
);
439 check_user(char *name
, const char *cred
)
441 struct passwd pws
, *pw
;
443 char *xpasswd
, *salt
;
445 if (isroot(name
) && !rootterm(line
)) {
446 crypt("AA", "*"); /* Waste some time to simulate success */
450 if (getpwnam_r(name
, &pws
, pwbuf
, sizeof(pwbuf
), &pw
) == 0 &&
452 if (pw
->pw_shell
== NULL
)
455 salt
= pw
->pw_passwd
;
456 xpasswd
= crypt(cred
, salt
);
457 /* The strcmp does not catch null passwords! */
458 if (*pw
->pw_passwd
== '\0' || strcmp(xpasswd
, pw
->pw_passwd
))
469 * The following is stolen from ftpd, which stole it from the imap-uw
470 * PAM module and login.c. It is needed because we can't really
471 * "converse" with the user, having already gone to the trouble of
472 * getting their username and password through an encrypted channel.
475 #define COPY_STRING(s) (s ? strdup(s) : NULL)
481 typedef struct cred_t cred_t
;
484 auth_conv(int num_msg
, const struct pam_message
**msg
,
485 struct pam_response
**resp
, void *appdata
)
488 cred_t
*cred
= appdata
;
489 struct pam_response
*reply
= malloc(sizeof(*reply
) * num_msg
);
494 for (i
= 0; i
< num_msg
; i
++) {
495 switch (msg
[i
]->msg_style
) {
496 case PAM_PROMPT_ECHO_ON
: /* assume want user name */
497 reply
[i
].resp_retcode
= PAM_SUCCESS
;
498 reply
[i
].resp
= COPY_STRING(cred
->uname
);
499 /* PAM frees resp. */
501 case PAM_PROMPT_ECHO_OFF
: /* assume want password */
502 reply
[i
].resp_retcode
= PAM_SUCCESS
;
503 reply
[i
].resp
= COPY_STRING(cred
->pass
);
504 /* PAM frees resp. */
508 reply
[i
].resp_retcode
= PAM_SUCCESS
;
509 reply
[i
].resp
= NULL
;
511 default: /* unknown message style */
522 * The PAM version as a side effect may put a new username in *name.
525 check_user(char *name
, const char *cred
)
527 pam_handle_t
*pamh
= NULL
;
531 cred_t auth_cred
= { name
, cred
};
532 struct pam_conv conv
= { &auth_conv
, &auth_cred
};
534 e
= pam_start("telnetd", name
, &conv
, &pamh
);
535 if (e
!= PAM_SUCCESS
) {
536 syslog(LOG_ERR
, "pam_start: %s", pam_strerror(pamh
, e
));
540 #if 0 /* Where can we find this value? */
541 e
= pam_set_item(pamh
, PAM_RHOST
, remotehost
);
542 if (e
!= PAM_SUCCESS
) {
543 syslog(LOG_ERR
, "pam_set_item(PAM_RHOST): %s",
544 pam_strerror(pamh
, e
));
549 e
= pam_authenticate(pamh
, 0);
553 * With PAM we support the concept of a "template"
554 * user. The user enters a login name which is
555 * authenticated by PAM, usually via a remote service
556 * such as RADIUS or TACACS+. If authentication
557 * succeeds, a different but related "template" name
558 * is used for setting the credentials, shell, and
559 * home directory. The name the user enters need only
560 * exist on the remote authentication server, but the
561 * template name must be present in the local password
564 * This is supported by two various mechanisms in the
565 * individual modules. However, from the application's
566 * point of view, the template user is always passed
567 * back as a changed value of the PAM_USER item.
569 if ((e
= pam_get_item(pamh
, PAM_USER
,
570 &item
)) == PAM_SUCCESS
)
571 strlcpy(name
, item
, SMALL_LEN
);
573 syslog(LOG_ERR
, "Couldn't get PAM_USER: %s",
574 pam_strerror(pamh
, e
));
577 #if 0 /* pam_securetty(8) should be used to enforce this */
578 if (isroot(name
) && !rootterm(line
))
584 case PAM_USER_UNKNOWN
:
590 syslog(LOG_ERR
, "auth_pam: %s", pam_strerror(pamh
, e
));
595 if ((e
= pam_end(pamh
, e
)) != PAM_SUCCESS
) {
596 syslog(LOG_ERR
, "pam_end: %s", pam_strerror(pamh
, e
));
604 #endif /* ENCRYPTION */