2 * Copyright (c) 1997-2005 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
34 #include "kpasswd_locl.h"
37 #include <kadm5/admin.h>
42 #include <kadm5/private.h>
44 static krb5_context context
;
45 static krb5_log_facility
*log_facility
;
47 static struct getarg_strings addresses_str
;
48 krb5_addresses explicit_addresses
;
50 static sig_atomic_t exit_flag
= 0;
53 add_one_address (const char *str
, int first
)
58 ret
= krb5_parse_address (context
, str
, &tmp
);
60 krb5_err (context
, 1, ret
, "parse_address `%s'", str
);
62 krb5_copy_addresses(context
, &tmp
, &explicit_addresses
);
64 krb5_append_addresses(context
, &explicit_addresses
, &tmp
);
65 krb5_free_addresses (context
, &tmp
);
77 uint16_t len
, ap_rep_len
;
82 ap_rep_len
= ap_rep
->length
;
86 len
= 6 + ap_rep_len
+ rest
->length
;
88 *p
++ = (len
>> 8) & 0xFF;
89 *p
++ = (len
>> 0) & 0xFF;
92 *p
++ = (ap_rep_len
>> 8) & 0xFF;
93 *p
++ = (ap_rep_len
>> 0) & 0xFF;
95 memset (&msghdr
, 0, sizeof(msghdr
));
96 msghdr
.msg_name
= (void *)sa
;
97 msghdr
.msg_namelen
= sa_size
;
99 msghdr
.msg_iovlen
= sizeof(iov
)/sizeof(*iov
);
101 msghdr
.msg_control
= NULL
;
102 msghdr
.msg_controllen
= 0;
105 iov
[0].iov_base
= (char *)header
;
108 iov
[1].iov_base
= ap_rep
->data
;
109 iov
[1].iov_len
= ap_rep
->length
;
111 iov
[1].iov_base
= NULL
;
114 iov
[2].iov_base
= rest
->data
;
115 iov
[2].iov_len
= rest
->length
;
117 if (sendmsg (s
, &msghdr
, 0) < 0)
118 krb5_warn (context
, errno
, "sendmsg");
122 make_result (krb5_data
*data
,
123 uint16_t result_code
,
127 krb5_data_zero (data
);
129 data
->length
= asprintf (&str
,
131 (result_code
>> 8) & 0xFF,
136 krb5_warnx (context
, "Out of memory generating error reply");
144 reply_error (krb5_realm realm
,
148 krb5_error_code error_code
,
149 uint16_t result_code
,
153 krb5_data error_data
;
155 krb5_principal server
= NULL
;
157 if (make_result(&e_data
, result_code
, expl
))
161 ret
= krb5_make_principal (context
, &server
, realm
,
162 "kadmin", "changepw", NULL
);
164 krb5_data_free (&e_data
);
169 ret
= krb5_mk_error (context
,
179 krb5_free_principal(context
, server
);
180 krb5_data_free (&e_data
);
182 krb5_warn (context
, ret
, "Could not even generate error reply");
185 send_reply (s
, sa
, sa_size
, NULL
, &error_data
);
186 krb5_data_free (&error_data
);
190 reply_priv (krb5_auth_context auth_context
,
194 uint16_t result_code
,
198 krb5_data krb_priv_data
;
199 krb5_data ap_rep_data
;
202 ret
= krb5_mk_rep (context
,
206 krb5_warn (context
, ret
, "Could not even generate error reply");
210 if (make_result(&e_data
, result_code
, expl
))
213 ret
= krb5_mk_priv (context
,
218 krb5_data_free (&e_data
);
220 krb5_warn (context
, ret
, "Could not even generate error reply");
223 send_reply (s
, sa
, sa_size
, &ap_rep_data
, &krb_priv_data
);
224 krb5_data_free (&ap_rep_data
);
225 krb5_data_free (&krb_priv_data
);
229 * Change the password for `principal', sending the reply back on `s'
230 * (`sa', `sa_size') to `pwd_data'.
234 change (krb5_auth_context auth_context
,
235 krb5_principal admin_principal
,
243 char *client
= NULL
, *admin
= NULL
;
244 const char *pwd_reason
;
245 kadm5_config_params conf
;
246 void *kadm5_handle
= NULL
;
247 krb5_principal principal
= NULL
;
248 krb5_data
*pwd_data
= NULL
;
250 ChangePasswdDataMS chpw
;
252 memset (&conf
, 0, sizeof(conf
));
253 memset(&chpw
, 0, sizeof(chpw
));
255 if (version
== KRB5_KPASSWD_VERS_CHANGEPW
) {
256 ret
= krb5_copy_data(context
, in_data
, &pwd_data
);
258 krb5_warn (context
, ret
, "krb5_copy_data");
259 reply_priv (auth_context
, s
, sa
, sa_size
, KRB5_KPASSWD_MALFORMED
,
260 "out out memory copying password");
263 principal
= admin_principal
;
264 } else if (version
== KRB5_KPASSWD_VERS_SETPW
) {
267 ret
= decode_ChangePasswdDataMS(in_data
->data
, in_data
->length
,
270 krb5_warn (context
, ret
, "decode_ChangePasswdDataMS");
271 reply_priv (auth_context
, s
, sa
, sa_size
, KRB5_KPASSWD_MALFORMED
,
272 "malformed ChangePasswdData");
277 ret
= krb5_copy_data(context
, &chpw
.newpasswd
, &pwd_data
);
279 krb5_warn (context
, ret
, "krb5_copy_data");
280 reply_priv (auth_context
, s
, sa
, sa_size
, KRB5_KPASSWD_MALFORMED
,
281 "out out memory copying password");
285 if (chpw
.targname
== NULL
&& chpw
.targrealm
!= NULL
) {
286 krb5_warn (context
, ret
, "kadm5_init_with_password_ctx");
287 reply_priv (auth_context
, s
, sa
, sa_size
,
288 KRB5_KPASSWD_MALFORMED
,
289 "targrealm but not targname");
294 krb5_principal_data princ
;
296 princ
.name
= *chpw
.targname
;
297 princ
.realm
= *chpw
.targrealm
;
298 if (princ
.realm
== NULL
) {
299 ret
= krb5_get_default_realm(context
, &princ
.realm
);
303 "kadm5_init_with_password_ctx: "
304 "failed to allocate realm");
305 reply_priv (auth_context
, s
, sa
, sa_size
,
306 KRB5_KPASSWD_SOFTERROR
,
307 "failed to allocate realm");
311 ret
= krb5_copy_principal(context
, &princ
, &principal
);
312 if (*chpw
.targrealm
== NULL
)
315 krb5_warn(context
, ret
, "krb5_copy_principal");
316 reply_priv(auth_context
, s
, sa
, sa_size
,
317 KRB5_KPASSWD_HARDERROR
,
318 "failed to allocate principal");
322 principal
= admin_principal
;
324 krb5_warnx (context
, "kadm5_init_with_password_ctx: unknown proto");
325 reply_priv (auth_context
, s
, sa
, sa_size
,
326 KRB5_KPASSWD_HARDERROR
,
327 "Unknown protocol used");
331 ret
= krb5_unparse_name (context
, admin_principal
, &admin
);
333 krb5_warn (context
, ret
, "unparse_name failed");
334 reply_priv (auth_context
, s
, sa
, sa_size
,
335 KRB5_KPASSWD_HARDERROR
, "out of memory error");
339 conf
.realm
= principal
->realm
;
340 conf
.mask
|= KADM5_CONFIG_REALM
;
342 ret
= kadm5_init_with_password_ctx(context
,
349 krb5_warn (context
, ret
, "kadm5_init_with_password_ctx");
350 reply_priv (auth_context
, s
, sa
, sa_size
, 2,
355 ret
= krb5_unparse_name(context
, principal
, &client
);
357 krb5_warn (context
, ret
, "unparse_name failed");
358 reply_priv (auth_context
, s
, sa
, sa_size
,
359 KRB5_KPASSWD_HARDERROR
, "out of memory error");
364 * Check password quality if not changing as administrator
367 if (krb5_principal_compare(context
, admin_principal
, principal
) == TRUE
) {
369 pwd_reason
= kadm5_check_password_quality (context
, principal
,
371 if (pwd_reason
!= NULL
) {
373 "%s didn't pass password quality check with error: %s",
375 reply_priv (auth_context
, s
, sa
, sa_size
,
376 KRB5_KPASSWD_SOFTERROR
, pwd_reason
);
379 krb5_warnx (context
, "Changing password for %s", client
);
381 ret
= _kadm5_acl_check_permission(kadm5_handle
, KADM5_PRIV_CPW
,
384 krb5_warn (context
, ret
,
385 "Check ACL failed for %s for changing %s password",
387 reply_priv (auth_context
, s
, sa
, sa_size
,
388 KRB5_KPASSWD_HARDERROR
, "permission denied");
391 krb5_warnx (context
, "%s is changing password for %s", admin
, client
);
394 ret
= krb5_data_realloc(pwd_data
, pwd_data
->length
+ 1);
396 krb5_warn (context
, ret
, "malloc: out of memory");
397 reply_priv (auth_context
, s
, sa
, sa_size
, KRB5_KPASSWD_HARDERROR
,
401 tmp
= pwd_data
->data
;
402 tmp
[pwd_data
->length
- 1] = '\0';
404 ret
= kadm5_s_chpass_principal_cond (kadm5_handle
, principal
, tmp
);
405 krb5_free_data (context
, pwd_data
);
408 const char *str
= krb5_get_error_message(context
, ret
);
409 krb5_warnx(context
, "kadm5_s_chpass_principal_cond: %s", str
);
410 reply_priv (auth_context
, s
, sa
, sa_size
, KRB5_KPASSWD_SOFTERROR
,
411 str
? str
: "Internal error");
412 krb5_free_error_message(context
, str
);
415 reply_priv (auth_context
, s
, sa
, sa_size
, KRB5_KPASSWD_SUCCESS
,
418 free_ChangePasswdDataMS(&chpw
);
419 if (principal
!= admin_principal
)
420 krb5_free_principal(context
, principal
);
426 krb5_free_data(context
, pwd_data
);
428 kadm5_destroy (kadm5_handle
);
432 verify (krb5_auth_context
*auth_context
,
435 krb5_ticket
**ticket
,
445 uint16_t pkt_len
, pkt_ver
, ap_req_len
;
446 krb5_data ap_req_data
;
447 krb5_data krb_priv_data
;
450 pkt_len
= (msg
[0] << 8) | (msg
[1]);
451 pkt_ver
= (msg
[2] << 8) | (msg
[3]);
452 ap_req_len
= (msg
[4] << 8) | (msg
[5]);
453 if (pkt_len
!= len
) {
454 krb5_warnx (context
, "Strange len: %ld != %ld",
455 (long)pkt_len
, (long)len
);
456 reply_error (NULL
, s
, sa
, sa_size
, 0, 1, "Bad request");
459 if (pkt_ver
!= KRB5_KPASSWD_VERS_CHANGEPW
&&
460 pkt_ver
!= KRB5_KPASSWD_VERS_SETPW
) {
461 krb5_warnx (context
, "Bad version (%d)", pkt_ver
);
462 reply_error (NULL
, s
, sa
, sa_size
, 0, 1, "Wrong program version");
467 ap_req_data
.data
= msg
+ 6;
468 ap_req_data
.length
= ap_req_len
;
470 ret
= krb5_rd_req (context
,
478 krb5_warn (context
, ret
, "krb5_rd_req");
479 reply_error (NULL
, s
, sa
, sa_size
, ret
, 3, "Authentication failed");
483 /* verify realm and principal */
484 for (r
= realms
; *r
!= NULL
; r
++) {
485 krb5_principal principal
;
488 ret
= krb5_make_principal (context
,
495 krb5_err (context
, 1, ret
, "krb5_make_principal");
497 same
= krb5_principal_compare(context
, principal
, (*ticket
)->server
);
498 krb5_free_principal(context
, principal
);
504 krb5_unparse_name(context
, (*ticket
)->server
, &str
);
505 krb5_warnx (context
, "client used not valid principal %s", str
);
507 reply_error (NULL
, s
, sa
, sa_size
, ret
, 1,
512 if (strcmp((*ticket
)->server
->realm
, (*ticket
)->client
->realm
) != 0) {
513 krb5_warnx (context
, "server realm (%s) not same a client realm (%s)",
514 (*ticket
)->server
->realm
, (*ticket
)->client
->realm
);
515 reply_error ((*ticket
)->server
->realm
, s
, sa
, sa_size
, ret
, 1,
520 if (!(*ticket
)->ticket
.flags
.initial
) {
521 krb5_warnx (context
, "initial flag not set");
522 reply_error ((*ticket
)->server
->realm
, s
, sa
, sa_size
, ret
, 1,
526 krb_priv_data
.data
= msg
+ 6 + ap_req_len
;
527 krb_priv_data
.length
= len
- 6 - ap_req_len
;
529 ret
= krb5_rd_priv (context
,
536 krb5_warn (context
, ret
, "krb5_rd_priv");
537 reply_error ((*ticket
)->server
->realm
, s
, sa
, sa_size
, ret
, 3,
543 krb5_free_ticket (context
, *ticket
);
549 process (krb5_realm
*realms
,
552 krb5_address
*this_addr
,
559 krb5_auth_context auth_context
= NULL
;
562 krb5_address other_addr
;
566 krb5_data_zero (&out_data
);
568 ret
= krb5_auth_con_init (context
, &auth_context
);
570 krb5_warn (context
, ret
, "krb5_auth_con_init");
574 krb5_auth_con_setflags (context
, auth_context
,
575 KRB5_AUTH_CONTEXT_DO_SEQUENCE
);
577 ret
= krb5_sockaddr2address (context
, sa
, &other_addr
);
579 krb5_warn (context
, ret
, "krb5_sockaddr2address");
583 ret
= krb5_auth_con_setaddrs (context
,
587 krb5_free_address (context
, &other_addr
);
589 krb5_warn (context
, ret
, "krb5_auth_con_setaddr");
593 if (verify (&auth_context
, realms
, keytab
, &ticket
, &out_data
,
594 &version
, s
, sa
, sa_size
, msg
, len
) == 0) {
595 change (auth_context
,
601 memset (out_data
.data
, 0, out_data
.length
);
602 krb5_free_ticket (context
, ticket
);
606 krb5_data_free (&out_data
);
607 krb5_auth_con_free (context
, auth_context
);
611 doit (krb5_keytab keytab
, int port
)
617 krb5_addresses addrs
;
620 struct sockaddr_storage __ss
;
621 struct sockaddr
*sa
= (struct sockaddr
*)&__ss
;
623 ret
= krb5_get_default_realms(context
, &realms
);
625 krb5_err (context
, 1, ret
, "krb5_get_default_realms");
627 if (explicit_addresses
.len
) {
628 addrs
= explicit_addresses
;
630 ret
= krb5_get_all_server_addrs (context
, &addrs
);
632 krb5_err (context
, 1, ret
, "krb5_get_all_server_addrs");
636 sockets
= malloc (n
* sizeof(*sockets
));
638 krb5_errx (context
, 1, "out of memory");
640 FD_ZERO(&real_fdset
);
641 for (i
= 0; i
< n
; ++i
) {
642 krb5_socklen_t sa_size
= sizeof(__ss
);
644 krb5_addr2sockaddr (context
, &addrs
.val
[i
], sa
, &sa_size
, port
);
646 sockets
[i
] = socket (sa
->sa_family
, SOCK_DGRAM
, 0);
648 krb5_err (context
, 1, errno
, "socket");
649 if (bind (sockets
[i
], sa
, sa_size
) < 0) {
652 int save_errno
= errno
;
654 ret
= krb5_print_address (&addrs
.val
[i
], str
, sizeof(str
), &len
);
656 strlcpy(str
, "unknown address", sizeof(str
));
657 krb5_warn (context
, save_errno
, "bind(%s)", str
);
660 maxfd
= max (maxfd
, sockets
[i
]);
661 if (maxfd
>= FD_SETSIZE
)
662 krb5_errx (context
, 1, "fd too large");
663 FD_SET(sockets
[i
], &real_fdset
);
666 krb5_errx (context
, 1, "No sockets!");
668 while(exit_flag
== 0) {
670 fd_set fdset
= real_fdset
;
672 ret
= select (maxfd
+ 1, &fdset
, NULL
, NULL
, NULL
);
677 krb5_err (context
, 1, errno
, "select");
679 for (i
= 0; i
< n
; ++i
)
680 if (FD_ISSET(sockets
[i
], &fdset
)) {
682 socklen_t addrlen
= sizeof(__ss
);
684 ret
= recvfrom (sockets
[i
], buf
, sizeof(buf
), 0,
690 krb5_err (context
, 1, errno
, "recvfrom");
693 process (realms
, keytab
, sockets
[i
],
700 for (i
= 0; i
< n
; ++i
)
704 krb5_free_addresses (context
, &addrs
);
705 krb5_free_host_realm (context
, realms
);
706 krb5_free_context (context
);
716 static const char *check_library
= NULL
;
717 static const char *check_function
= NULL
;
718 static getarg_strings policy_libraries
= { 0, NULL
};
719 static char *keytab_str
= "HDB:";
720 static char *realm_str
;
721 static int version_flag
;
722 static int help_flag
;
723 static char *port_str
;
724 static char *config_file
;
726 struct getargs args
[] = {
728 { "check-library", 0, arg_string
, &check_library
,
729 "library to load password check function from", "library" },
730 { "check-function", 0, arg_string
, &check_function
,
731 "password check function to load", "function" },
732 { "policy-libraries", 0, arg_strings
, &policy_libraries
,
733 "password check function to load", "function" },
735 { "addresses", 0, arg_strings
, &addresses_str
,
736 "addresses to listen on", "list of addresses" },
737 { "keytab", 'k', arg_string
, &keytab_str
,
738 "keytab to get authentication key from", "kspec" },
739 { "config-file", 'c', arg_string
, &config_file
},
740 { "realm", 'r', arg_string
, &realm_str
, "default realm", "realm" },
741 { "port", 'p', arg_string
, &port_str
, "port" },
742 { "version", 0, arg_flag
, &version_flag
},
743 { "help", 0, arg_flag
, &help_flag
}
745 int num_args
= sizeof(args
) / sizeof(args
[0]);
748 main (int argc
, char **argv
)
755 krb5_program_setup(&context
, argc
, argv
, args
, num_args
, NULL
);
758 krb5_std_usage(0, args
, num_args
);
764 if (config_file
== NULL
) {
765 asprintf(&config_file
, "%s/kdc.conf", hdb_db_dir(context
));
766 if (config_file
== NULL
)
767 errx(1, "out of memory");
770 ret
= krb5_prepend_config_files_default(config_file
, &files
);
772 krb5_err(context
, 1, ret
, "getting configuration files");
774 ret
= krb5_set_config_files(context
, files
);
775 krb5_free_config_files(files
);
777 krb5_err(context
, 1, ret
, "reading configuration files");
780 krb5_set_default_realm(context
, realm_str
);
782 krb5_openlog (context
, "kpasswdd", &log_facility
);
783 krb5_set_warn_dest(context
, log_facility
);
785 if (port_str
!= NULL
) {
786 struct servent
*s
= roken_getservbyname (port_str
, "udp");
793 port
= strtol (port_str
, &ptr
, 10);
794 if (port
== 0 && ptr
== port_str
)
795 krb5_errx (context
, 1, "bad port `%s'", port_str
);
799 port
= krb5_getportbyname (context
, "kpasswd", "udp", KPASSWD_PORT
);
801 ret
= krb5_kt_register(context
, &hdb_kt_ops
);
803 krb5_err(context
, 1, ret
, "krb5_kt_register");
805 ret
= krb5_kt_resolve(context
, keytab_str
, &keytab
);
807 krb5_err(context
, 1, ret
, "%s", keytab_str
);
809 kadm5_setup_passwd_quality_check (context
, check_library
, check_function
);
811 for (i
= 0; i
< policy_libraries
.num_strings
; i
++) {
812 ret
= kadm5_add_passwd_quality_verifier(context
,
813 policy_libraries
.strings
[i
]);
815 krb5_err(context
, 1, ret
, "kadm5_add_passwd_quality_verifier");
817 ret
= kadm5_add_passwd_quality_verifier(context
, NULL
);
819 krb5_err(context
, 1, ret
, "kadm5_add_passwd_quality_verifier");
822 explicit_addresses
.len
= 0;
824 if (addresses_str
.num_strings
) {
827 for (i
= 0; i
< addresses_str
.num_strings
; ++i
)
828 add_one_address (addresses_str
.strings
[i
], i
== 0);
829 free_getarg_strings (&addresses_str
);
831 char **foo
= krb5_config_get_strings (context
, NULL
,
832 "kdc", "addresses", NULL
);
835 add_one_address (*foo
++, TRUE
);
837 add_one_address (*foo
++, FALSE
);
841 #ifdef HAVE_SIGACTION
846 sa
.sa_handler
= sigterm
;
847 sigemptyset(&sa
.sa_mask
);
849 sigaction(SIGINT
, &sa
, NULL
);
850 sigaction(SIGTERM
, &sa
, NULL
);
853 signal(SIGINT
, sigterm
);
854 signal(SIGTERM
, sigterm
);
859 return doit (keytab
, port
);