2 * Copyright (c) 1997-2005 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
34 #include "kpasswd_locl.h"
37 #include <kadm5/admin.h>
42 #include <kadm5/private.h>
44 static krb5_context context
;
45 static krb5_log_facility
*log_facility
;
47 static struct getarg_strings addresses_str
;
48 krb5_addresses explicit_addresses
;
50 static sig_atomic_t exit_flag
= 0;
53 add_one_address (const char *str
, int first
)
58 ret
= krb5_parse_address (context
, str
, &tmp
);
60 krb5_err (context
, 1, ret
, "parse_address `%s'", str
);
62 krb5_copy_addresses(context
, &tmp
, &explicit_addresses
);
64 krb5_append_addresses(context
, &explicit_addresses
, &tmp
);
65 krb5_free_addresses (context
, &tmp
);
77 u_int16_t len
, ap_rep_len
;
82 ap_rep_len
= ap_rep
->length
;
86 len
= 6 + ap_rep_len
+ rest
->length
;
88 *p
++ = (len
>> 8) & 0xFF;
89 *p
++ = (len
>> 0) & 0xFF;
92 *p
++ = (ap_rep_len
>> 8) & 0xFF;
93 *p
++ = (ap_rep_len
>> 0) & 0xFF;
95 memset (&msghdr
, 0, sizeof(msghdr
));
96 msghdr
.msg_name
= (void *)sa
;
97 msghdr
.msg_namelen
= sa_size
;
99 msghdr
.msg_iovlen
= sizeof(iov
)/sizeof(*iov
);
101 msghdr
.msg_control
= NULL
;
102 msghdr
.msg_controllen
= 0;
105 iov
[0].iov_base
= (char *)header
;
108 iov
[1].iov_base
= ap_rep
->data
;
109 iov
[1].iov_len
= ap_rep
->length
;
111 iov
[1].iov_base
= NULL
;
114 iov
[2].iov_base
= rest
->data
;
115 iov
[2].iov_len
= rest
->length
;
117 if (sendmsg (s
, &msghdr
, 0) < 0)
118 krb5_warn (context
, errno
, "sendmsg");
122 make_result (krb5_data
*data
,
123 u_int16_t result_code
,
126 krb5_data_zero (data
);
128 data
->length
= asprintf ((char **)&data
->data
,
130 (result_code
>> 8) & 0xFF,
134 if (data
->data
== NULL
) {
135 krb5_warnx (context
, "Out of memory generating error reply");
142 reply_error (krb5_principal server
,
146 krb5_error_code error_code
,
147 u_int16_t result_code
,
151 krb5_data error_data
;
154 if (make_result(&e_data
, result_code
, expl
))
157 ret
= krb5_mk_error (context
,
166 krb5_data_free (&e_data
);
168 krb5_warn (context
, ret
, "Could not even generate error reply");
171 send_reply (s
, sa
, sa_size
, NULL
, &error_data
);
172 krb5_data_free (&error_data
);
176 reply_priv (krb5_auth_context auth_context
,
180 u_int16_t result_code
,
184 krb5_data krb_priv_data
;
185 krb5_data ap_rep_data
;
188 ret
= krb5_mk_rep (context
,
192 krb5_warn (context
, ret
, "Could not even generate error reply");
196 if (make_result(&e_data
, result_code
, expl
))
199 ret
= krb5_mk_priv (context
,
204 krb5_data_free (&e_data
);
206 krb5_warn (context
, ret
, "Could not even generate error reply");
209 send_reply (s
, sa
, sa_size
, &ap_rep_data
, &krb_priv_data
);
210 krb5_data_free (&ap_rep_data
);
211 krb5_data_free (&krb_priv_data
);
215 * Change the password for `principal', sending the reply back on `s'
216 * (`sa', `sa_size') to `pwd_data'.
220 change (krb5_auth_context auth_context
,
221 krb5_principal admin_principal
,
229 char *client
= NULL
, *admin
= NULL
;
230 const char *pwd_reason
;
231 kadm5_config_params conf
;
232 void *kadm5_handle
= NULL
;
233 krb5_principal principal
;
234 krb5_data
*pwd_data
= NULL
;
236 ChangePasswdDataMS chpw
;
238 memset (&conf
, 0, sizeof(conf
));
239 memset(&chpw
, 0, sizeof(chpw
));
241 if (version
== KRB5_KPASSWD_VERS_CHANGEPW
) {
242 ret
= krb5_copy_data(context
, in_data
, &pwd_data
);
244 krb5_warn (context
, ret
, "krb5_copy_data");
245 reply_priv (auth_context
, s
, sa
, sa_size
, KRB5_KPASSWD_MALFORMED
,
246 "out out memory copying password");
249 principal
= admin_principal
;
250 } else if (version
== KRB5_KPASSWD_VERS_SETPW
) {
253 ret
= decode_ChangePasswdDataMS(in_data
->data
, in_data
->length
,
256 krb5_warn (context
, ret
, "decode_ChangePasswdDataMS");
257 reply_priv (auth_context
, s
, sa
, sa_size
, KRB5_KPASSWD_MALFORMED
,
258 "malformed ChangePasswdData");
263 ret
= krb5_copy_data(context
, &chpw
.newpasswd
, &pwd_data
);
265 krb5_warn (context
, ret
, "krb5_copy_data");
266 reply_priv (auth_context
, s
, sa
, sa_size
, KRB5_KPASSWD_MALFORMED
,
267 "out out memory copying password");
271 if (chpw
.targname
== NULL
&& chpw
.targrealm
!= NULL
) {
272 krb5_warn (context
, ret
, "kadm5_init_with_password_ctx");
273 reply_priv (auth_context
, s
, sa
, sa_size
,
274 KRB5_KPASSWD_MALFORMED
,
275 "targrealm but not targname");
280 krb5_principal_data princ
;
282 princ
.name
= *chpw
.targname
;
283 princ
.realm
= *chpw
.targrealm
;
284 if (princ
.realm
== NULL
) {
285 ret
= krb5_get_default_realm(context
, &princ
.realm
);
289 "kadm5_init_with_password_ctx: "
290 "failed to allocate realm");
291 reply_priv (auth_context
, s
, sa
, sa_size
,
292 KRB5_KPASSWD_SOFTERROR
,
293 "failed to allocate realm");
297 ret
= krb5_copy_principal(context
, &princ
, &principal
);
298 if (*chpw
.targrealm
== NULL
)
301 krb5_warn(context
, ret
, "krb5_copy_principal");
302 reply_priv(auth_context
, s
, sa
, sa_size
,
303 KRB5_KPASSWD_HARDERROR
,
304 "failed to allocate principal");
308 principal
= admin_principal
;
310 krb5_warnx (context
, "kadm5_init_with_password_ctx: unknown proto");
311 reply_priv (auth_context
, s
, sa
, sa_size
,
312 KRB5_KPASSWD_HARDERROR
,
313 "Unknown protocol used");
317 ret
= krb5_unparse_name (context
, admin_principal
, &admin
);
319 krb5_warn (context
, ret
, "unparse_name failed");
320 reply_priv (auth_context
, s
, sa
, sa_size
,
321 KRB5_KPASSWD_HARDERROR
, "out of memory error");
325 ret
= kadm5_init_with_password_ctx(context
,
332 krb5_warn (context
, ret
, "kadm5_init_with_password_ctx");
333 reply_priv (auth_context
, s
, sa
, sa_size
, 2,
338 ret
= krb5_unparse_name(context
, principal
, &client
);
340 krb5_warn (context
, ret
, "unparse_name failed");
341 reply_priv (auth_context
, s
, sa
, sa_size
,
342 KRB5_KPASSWD_HARDERROR
, "out of memory error");
347 * Check password quality if not changing as administrator
350 if (krb5_principal_compare(context
, admin_principal
, principal
) == TRUE
) {
352 pwd_reason
= kadm5_check_password_quality (context
, principal
,
354 if (pwd_reason
!= NULL
) {
356 "%s didn't pass password quality check with error: %s",
358 reply_priv (auth_context
, s
, sa
, sa_size
,
359 KRB5_KPASSWD_SOFTERROR
, pwd_reason
);
362 krb5_warnx (context
, "Changing password for %s", client
);
364 ret
= _kadm5_acl_check_permission(kadm5_handle
, KADM5_PRIV_CPW
,
367 krb5_warn (context
, ret
,
368 "Check ACL failed for %s for changing %s password",
370 reply_priv (auth_context
, s
, sa
, sa_size
,
371 KRB5_KPASSWD_HARDERROR
, "permission denied");
374 krb5_warnx (context
, "%s is changing password for %s", admin
, client
);
377 ret
= krb5_data_realloc(pwd_data
, pwd_data
->length
+ 1);
379 krb5_warn (context
, ret
, "malloc: out of memory");
380 reply_priv (auth_context
, s
, sa
, sa_size
, KRB5_KPASSWD_HARDERROR
,
384 tmp
= pwd_data
->data
;
385 tmp
[pwd_data
->length
- 1] = '\0';
387 ret
= kadm5_s_chpass_principal_cond (kadm5_handle
, principal
, tmp
);
388 krb5_free_data (context
, pwd_data
);
391 krb5_warn (context
, ret
, "kadm5_s_chpass_principal_cond");
392 reply_priv (auth_context
, s
, sa
, sa_size
, KRB5_KPASSWD_HARDERROR
,
396 reply_priv (auth_context
, s
, sa
, sa_size
, KRB5_KPASSWD_SUCCESS
,
399 free_ChangePasswdDataMS(&chpw
);
405 krb5_free_data(context
, pwd_data
);
407 kadm5_destroy (kadm5_handle
);
411 verify (krb5_auth_context
*auth_context
,
412 krb5_principal server
,
414 krb5_ticket
**ticket
,
424 u_int16_t pkt_len
, pkt_ver
, ap_req_len
;
425 krb5_data ap_req_data
;
426 krb5_data krb_priv_data
;
428 pkt_len
= (msg
[0] << 8) | (msg
[1]);
429 pkt_ver
= (msg
[2] << 8) | (msg
[3]);
430 ap_req_len
= (msg
[4] << 8) | (msg
[5]);
431 if (pkt_len
!= len
) {
432 krb5_warnx (context
, "Strange len: %ld != %ld",
433 (long)pkt_len
, (long)len
);
434 reply_error (server
, s
, sa
, sa_size
, 0, 1, "Bad request");
437 if (pkt_ver
!= KRB5_KPASSWD_VERS_CHANGEPW
&&
438 pkt_ver
!= KRB5_KPASSWD_VERS_SETPW
) {
439 krb5_warnx (context
, "Bad version (%d)", pkt_ver
);
440 reply_error (server
, s
, sa
, sa_size
, 0, 1, "Wrong program version");
445 ap_req_data
.data
= msg
+ 6;
446 ap_req_data
.length
= ap_req_len
;
448 ret
= krb5_rd_req (context
,
456 if(ret
== KRB5_KT_NOTFOUND
) {
458 krb5_unparse_name(context
, server
, &name
);
459 krb5_warnx (context
, "krb5_rd_req: %s (%s)",
460 krb5_get_err_text(context
, ret
), name
);
463 krb5_warn (context
, ret
, "krb5_rd_req");
464 reply_error (server
, s
, sa
, sa_size
, ret
, 3, "Authentication failed");
468 if (!(*ticket
)->ticket
.flags
.initial
) {
469 krb5_warnx (context
, "initial flag not set");
470 reply_error (server
, s
, sa
, sa_size
, ret
, 1,
474 krb_priv_data
.data
= msg
+ 6 + ap_req_len
;
475 krb_priv_data
.length
= len
- 6 - ap_req_len
;
477 ret
= krb5_rd_priv (context
,
484 krb5_warn (context
, ret
, "krb5_rd_priv");
485 reply_error (server
, s
, sa
, sa_size
, ret
, 3, "Bad request");
490 krb5_free_ticket (context
, *ticket
);
496 process (krb5_principal server
,
499 krb5_address
*this_addr
,
506 krb5_auth_context auth_context
= NULL
;
509 krb5_address other_addr
;
513 krb5_data_zero (&out_data
);
515 ret
= krb5_auth_con_init (context
, &auth_context
);
517 krb5_warn (context
, ret
, "krb5_auth_con_init");
521 krb5_auth_con_setflags (context
, auth_context
,
522 KRB5_AUTH_CONTEXT_DO_SEQUENCE
);
524 ret
= krb5_sockaddr2address (context
, sa
, &other_addr
);
526 krb5_warn (context
, ret
, "krb5_sockaddr2address");
530 ret
= krb5_auth_con_setaddrs (context
,
534 krb5_free_address (context
, &other_addr
);
536 krb5_warn (context
, ret
, "krb5_auth_con_setaddr");
540 if (verify (&auth_context
, server
, keytab
, &ticket
, &out_data
,
541 &version
, s
, sa
, sa_size
, msg
, len
) == 0) {
542 change (auth_context
,
548 memset (out_data
.data
, 0, out_data
.length
);
549 krb5_free_ticket (context
, ticket
);
553 krb5_data_free (&out_data
);
554 krb5_auth_con_free (context
, auth_context
);
558 doit (krb5_keytab keytab
, int port
)
561 krb5_principal server
;
565 krb5_addresses addrs
;
568 struct sockaddr_storage __ss
;
569 struct sockaddr
*sa
= (struct sockaddr
*)&__ss
;
571 ret
= krb5_get_default_realm (context
, &realm
);
573 krb5_err (context
, 1, ret
, "krb5_get_default_realm");
575 ret
= krb5_build_principal (context
,
583 krb5_err (context
, 1, ret
, "krb5_build_principal");
587 if (explicit_addresses
.len
) {
588 addrs
= explicit_addresses
;
590 ret
= krb5_get_all_server_addrs (context
, &addrs
);
592 krb5_err (context
, 1, ret
, "krb5_get_all_server_addrs");
596 sockets
= malloc (n
* sizeof(*sockets
));
598 krb5_errx (context
, 1, "out of memory");
600 FD_ZERO(&real_fdset
);
601 for (i
= 0; i
< n
; ++i
) {
602 int sa_size
= sizeof(__ss
);
604 krb5_addr2sockaddr (context
, &addrs
.val
[i
], sa
, &sa_size
, port
);
606 sockets
[i
] = socket (sa
->sa_family
, SOCK_DGRAM
, 0);
608 krb5_err (context
, 1, errno
, "socket");
609 if (bind (sockets
[i
], sa
, sa_size
) < 0) {
612 int save_errno
= errno
;
614 ret
= krb5_print_address (&addrs
.val
[i
], str
, sizeof(str
), &len
);
616 strlcpy(str
, "unknown address", sizeof(str
));
617 krb5_warn (context
, save_errno
, "bind(%s)", str
);
620 maxfd
= max (maxfd
, sockets
[i
]);
621 if (maxfd
>= FD_SETSIZE
)
622 krb5_errx (context
, 1, "fd too large");
623 FD_SET(sockets
[i
], &real_fdset
);
626 krb5_errx (context
, 1, "No sockets!");
628 while(exit_flag
== 0) {
630 fd_set fdset
= real_fdset
;
632 ret
= select (maxfd
+ 1, &fdset
, NULL
, NULL
, NULL
);
637 krb5_err (context
, 1, errno
, "select");
639 for (i
= 0; i
< n
; ++i
)
640 if (FD_ISSET(sockets
[i
], &fdset
)) {
642 socklen_t addrlen
= sizeof(__ss
);
644 ret
= recvfrom (sockets
[i
], buf
, sizeof(buf
), 0,
650 krb5_err (context
, 1, errno
, "recvfrom");
653 process (server
, keytab
, sockets
[i
],
659 krb5_free_addresses (context
, &addrs
);
660 krb5_free_principal (context
, server
);
661 krb5_free_context (context
);
671 const char *check_library
= NULL
;
672 const char *check_function
= NULL
;
673 char *keytab_str
= "HDB:";
680 struct getargs args
[] = {
682 { "check-library", 0, arg_string
, &check_library
,
683 "library to load password check function from", "library" },
684 { "check-function", 0, arg_string
, &check_function
,
685 "password check function to load", "function" },
687 { "addresses", 0, arg_strings
, &addresses_str
,
688 "addresses to listen on", "list of addresses" },
689 { "keytab", 'k', arg_string
, &keytab_str
,
690 "keytab to get authentication key from", "kspec" },
691 { "config-file", 'c', arg_string
, &config_file
},
692 { "realm", 'r', arg_string
, &realm_str
, "default realm", "realm" },
693 { "port", 'p', arg_string
, &port_str
, "port" },
694 { "version", 0, arg_flag
, &version_flag
},
695 { "help", 0, arg_flag
, &help_flag
}
697 int num_args
= sizeof(args
) / sizeof(args
[0]);
700 main (int argc
, char **argv
)
708 optind
= krb5_program_setup(&context
, argc
, argv
, args
, num_args
, NULL
);
711 krb5_std_usage(0, args
, num_args
);
717 if (config_file
== NULL
)
718 config_file
= HDB_DB_DIR
"/kdc.conf";
720 ret
= krb5_prepend_config_files_default(config_file
, &files
);
722 krb5_err(context
, 1, ret
, "getting configuration files");
724 ret
= krb5_set_config_files(context
, files
);
725 krb5_free_config_files(files
);
727 krb5_err(context
, 1, ret
, "reading configuration files");
730 krb5_set_default_realm(context
, realm_str
);
732 krb5_openlog (context
, "kpasswdd", &log_facility
);
733 krb5_set_warn_dest(context
, log_facility
);
735 if (port_str
!= NULL
) {
736 struct servent
*s
= roken_getservbyname (port_str
, "udp");
743 port
= strtol (port_str
, &ptr
, 10);
744 if (port
== 0 && ptr
== port_str
)
745 krb5_errx (context
, 1, "bad port `%s'", port_str
);
749 port
= krb5_getportbyname (context
, "kpasswd", "udp", KPASSWD_PORT
);
751 ret
= krb5_kt_register(context
, &hdb_kt_ops
);
753 krb5_err(context
, 1, ret
, "krb5_kt_register");
755 ret
= krb5_kt_resolve(context
, keytab_str
, &keytab
);
757 krb5_err(context
, 1, ret
, "%s", keytab_str
);
759 kadm5_setup_passwd_quality_check (context
, check_library
, check_function
);
761 explicit_addresses
.len
= 0;
763 if (addresses_str
.num_strings
) {
766 for (i
= 0; i
< addresses_str
.num_strings
; ++i
)
767 add_one_address (addresses_str
.strings
[i
], i
== 0);
768 free_getarg_strings (&addresses_str
);
770 char **foo
= krb5_config_get_strings (context
, NULL
,
771 "kdc", "addresses", NULL
);
774 add_one_address (*foo
++, TRUE
);
776 add_one_address (*foo
++, FALSE
);
780 #ifdef HAVE_SIGACTION
785 sa
.sa_handler
= sigterm
;
786 sigemptyset(&sa
.sa_mask
);
788 sigaction(SIGINT
, &sa
, NULL
);
789 sigaction(SIGTERM
, &sa
, NULL
);
792 signal(SIGINT
, sigterm
);
793 signal(SIGTERM
, sigterm
);
798 return doit (keytab
, port
);