summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorTheodore Tso <tytso@mit.edu>1998-07-03 22:34:54 +0000
committerTheodore Tso <tytso@mit.edu>1998-07-03 22:34:54 +0000
commitdf1bc2c9c34765cb8eeb75c704d7ce0294f4743b (patch)
tree53565355572076bb29a3f17dcc1083d862cb2297
parente7fe8eaef32539fc176888413cdcf345952b9efb (diff)
downloadkrb5-df1bc2c9c34765cb8eeb75c704d7ce0294f4743b.tar.gz
krb5-df1bc2c9c34765cb8eeb75c704d7ce0294f4743b.tar.xz
krb5-df1bc2c9c34765cb8eeb75c704d7ce0294f4743b.zip
Makefile.in (build_pwfile): Add rule to build the build_pwfile program
kadm_server.c (kadm_ser_cpw): Put the call to the kadm_approve_pw in the common code, so it's executed even if KADM5 is defined. Add appropriate syslogs to the change password processing. kadm_funcs.c (pwstring;): If NDBM_PW_CHECK is defined, then do the NDBM-based dictionary check. Build kadmind4 using the make option PW_CHECK=-DNDBM_PW_CHECK if this feature is desired. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@10621 dc483132-0cff-0310-8789-dd5450dbe970
-rw-r--r--src/kadmin/v4server/ChangeLog15
-rw-r--r--src/kadmin/v4server/Makefile.in11
-rw-r--r--src/kadmin/v4server/build_pwfile.c119
-rw-r--r--src/kadmin/v4server/kadm_funcs.c8
-rw-r--r--src/kadmin/v4server/kadm_server.c97
5 files changed, 200 insertions, 50 deletions
diff --git a/src/kadmin/v4server/ChangeLog b/src/kadmin/v4server/ChangeLog
index 5ced9eb321..c8846ff141 100644
--- a/src/kadmin/v4server/ChangeLog
+++ b/src/kadmin/v4server/ChangeLog
@@ -1,3 +1,18 @@
+Fri Jul 3 18:17:48 1998 Theodore Y. Ts'o <tytso@mit.edu>
+
+ * Makefile.in (build_pwfile): Add rule to build the build_pwfile
+ program.
+
+ * kadm_server.c (kadm_ser_cpw): Put the call to the
+ kadm_approve_pw in the common code, so it's executed even
+ if KADM5 is defined. Add appropriate syslogs to the
+ change password processing.
+
+ * kadm_funcs.c (pwstring;): If NDBM_PW_CHECK is defined, then do
+ the NDBM-based dictionary check. Build kadmind4 using
+ the make option PW_CHECK=-DNDBM_PW_CHECK if this feature
+ is desired.
+
1998-05-08 Theodore Ts'o <tytso@rsts-11.mit.edu>
* kadm_server.c (krb_log): Print the year using 4 digit to avoid
diff --git a/src/kadmin/v4server/Makefile.in b/src/kadmin/v4server/Makefile.in
index 19b7ee81ca..726b91a849 100644
--- a/src/kadmin/v4server/Makefile.in
+++ b/src/kadmin/v4server/Makefile.in
@@ -1,6 +1,6 @@
thisconfigdir=./..
BUILDTOP=$(REL)$(U)$(S)$(U)
-CFLAGS = $(CCOPTS) $(DEFS) $(LOCALINCLUDE) \
+CFLAGS = $(CCOPTS) $(DEFS) $(LOCALINCLUDE) $(PW_CHECK) \
-DKADM5 -DNEED_SOCKETS @HESIOD_DEFS@
PROG_LIBPATH=-L$(TOPLIBD) $(KRB4_LIBPATH)
PROG_RPATH=$(KRB5_LIBDIR)
@@ -21,11 +21,16 @@ kadm_err.c kadm_err.h: kadm_err.et
$(OBJS): kadm_err.h
$(PROG): $(OBJS) $(KADMCLNT_DEPLIBS) $(DB_DEPLIB) $(KRB4COMPAT_DEPLIBS)
- $(CC_LINK) -o $(PROG) $(OBJS) $(KADMCLNT_LIBS) $(DB_LIB) $(KRB4COMPAT_LIBS) $(HESIOD_LIBS)
+ $(CC_LINK) -o $(PROG) $(OBJS) $(KADMCLNT_LIBS) $(DB_LIB) \
+ $(KRB4COMPAT_LIBS) $(HESIOD_LIBS)
+
+build_pwfile: build_pwfile.o $(DB_DEPLIB) $(KRB4COMPAT_DEPLIBS)
+ $(CC_LINK) -o build_pwfile build_pwfile.o $(DB_LIB) \
+ $(KRB4COMPAT_LIBS) $(HESIOD_LIBS)
install::
$(INSTALL_PROGRAM) $(PROG) ${DESTDIR}$(ADMIN_BINDIR)/$(PROG)
clean::
- $(RM) $(PROG) $(OBJS)
+ $(RM) $(PROG) $(OBJS) build_pwfile build_pwfile.o
$(RM) kadm_err.h kadm_err.c
diff --git a/src/kadmin/v4server/build_pwfile.c b/src/kadmin/v4server/build_pwfile.c
new file mode 100644
index 0000000000..9cede78cc9
--- /dev/null
+++ b/src/kadmin/v4server/build_pwfile.c
@@ -0,0 +1,119 @@
+#define NDBM
+/*
+ * build_pwfile.c --- build a table of bad passwords, keyed by their
+ * des equivalents.
+ *
+ * Written by Theodore Ts'o
+ *
+ * Copyright 1988 by the Massachusetts Institute of Technology.
+ *
+ * For copying and distribution information, please see the file
+ * <mit-copyright.h>.
+ */
+
+#ifndef lint
+static char rcsid_build_pwfile_c[] =
+"$Id$";
+#endif lint
+
+#include <mit-copyright.h>
+#include <stdio.h>
+#include <sys/types.h>
+#include <sys/param.h>
+#include <sys/file.h>
+
+#ifdef NDBM
+#include <ndbm.h>
+#else /*NDBM*/
+#include <dbm.h>
+#endif /*NDBM*/
+
+#include <kadm.h>
+#include <kadm_err.h>
+#include <krb_db.h>
+#include "kadm_server.h"
+
+/* Macros to convert ndbm names to dbm names.
+ * Note that dbm_nextkey() cannot be simply converted using a macro, since
+ * it is invoked giving the database, and nextkey() needs the previous key.
+ *
+ * Instead, all routines call "dbm_next" instead.
+ */
+#ifndef NDBM
+typedef char DBM;
+#define dbm_open(file, flags, mode) ((dbminit(file) == 0)?"":((char *)0))
+#define dbm_fetch(db, key) fetch(key)
+#define dbm_store(db, key, content, flag) store(key, content)
+#define dbm_firstkey(db) firstkey()
+#define dbm_next(db,key) nextkey(key)
+#define dbm_close(db) dbmclose()
+#else
+#define dbm_next(db,key) dbm_nextkey(db)
+#endif
+
+main(argc, argv)
+ int argc;
+ char **argv;
+{
+ DBM *pwfile;
+ FILE *f;
+ datum passwd, entry;
+ des_cblock key;
+ char word[1024];
+ int len, filenum, i;
+ int wptr;
+
+ if (argc != 2) {
+ fprintf(stderr,"%s: Usage: %s filename\n", argv[0], argv[0]);
+ exit(1);
+ }
+ if (!(f = fopen(argv[1], "r"))) {
+ perror(argv[1]);
+ exit(1);
+ }
+ pwfile = dbm_open(PW_CHECK_FILE, O_RDWR|O_CREAT, 0644);
+ if (!pwfile) {
+ fprintf(stderr, "Couldn't open %s for writing.\n",
+ PW_CHECK_FILE);
+ perror("dbm_open");
+ exit(1);
+ }
+ filenum = 0;
+ do {
+ filenum++;
+ passwd.dptr = (char *) &filenum;
+ passwd.dsize = sizeof(filenum);
+ entry.dptr = argv[1];
+ entry.dsize = strlen(argv[1])+1;
+ } while (dbm_store(pwfile, passwd, entry, DBM_INSERT));
+ i = 0;
+ while (!feof(f)) {
+ i++;
+ wptr = (filenum << 24) + i;
+ fgets(word, sizeof(word), f);
+ len = strlen(word);
+ if (len > 0 && word[len-1] == '\n')
+ word[--len] = '\0';
+#ifdef NOENCRYPTION
+ bzero((char *) key, sizeof(des_cblock));
+ key[0] = (unsigned char) 1;
+#else
+ (void) des_string_to_key(word, key);
+#endif
+
+ passwd.dptr = (char *) key;
+ passwd.dsize = 8;
+ entry.dptr = (char *) &wptr;
+#ifdef notdef
+ entry.dsize = sizeof(wptr);
+#else
+ entry.dsize = 0;
+#endif
+ dbm_store(pwfile, passwd, entry, DBM_REPLACE);
+ }
+ dbm_close(pwfile);
+ exit(0);
+}
+
+
+
diff --git a/src/kadmin/v4server/kadm_funcs.c b/src/kadmin/v4server/kadm_funcs.c
index 87eb227ee8..1d32073007 100644
--- a/src/kadmin/v4server/kadm_funcs.c
+++ b/src/kadmin/v4server/kadm_funcs.c
@@ -19,7 +19,9 @@ the actual database manipulation code
#include <stdio.h>
#include <string.h>
#include <sys/param.h>
-/* #include <ndbm.h> Gotten by kadmin_server.h */
+#ifdef NDBM_PW_CHECK
+#include <ndbm.h>
+#endif
#include <ctype.h>
#include <pwd.h>
#include <sys/file.h>
@@ -746,7 +748,7 @@ des_cblock newpw;
char *pwstring;
{
int retval;
-#ifdef notdef
+#if NDBM_PW_CHECK
static DBM *pwfile = NULL;
datum passwd, entry;
#endif
@@ -762,7 +764,7 @@ char *pwstring;
return(KADM_PW_MISMATCH);
if (pwstring && (strlen(pwstring) < 5))
return(KADM_INSECURE_PW);
-#ifdef notdef
+#if NDBM_PW_CHECK
if (!pwfile) {
pwfile = dbm_open(PW_CHECK_FILE, O_RDONLY, 0644);
}
diff --git a/src/kadmin/v4server/kadm_server.c b/src/kadmin/v4server/kadm_server.c
index e84e0b7a70..71cec13391 100644
--- a/src/kadmin/v4server/kadm_server.c
+++ b/src/kadmin/v4server/kadm_server.c
@@ -24,6 +24,7 @@
#else
#include <time.h>
#endif
+#include <syslog.h>
#ifdef KADM5
#include <com_err.h>
@@ -167,13 +168,55 @@ int *outlen;
memcpy((char *)(((krb5_int32 *)newkey) + 1), (char *)&keyhigh, 4);
memcpy((char *)newkey, (char *)&keylow, 4);
+ if (retval = kadm_approve_pw(ad->pname, ad->pinst, ad->prealm,
+ newkey, no_pword ? 0 : pword)) {
+ if (retval == KADM_PW_MISMATCH) {
+ /*
+ * Very strange!!! This means that the cleartext
+ * password which was sent and the DES cblock
+ * didn't match!
+ */
+ syslog(LOG_ERR, "'%s.%s@%s' sent a password string which didn't match with the DES key?!?",
+ ad->pname, ad->pinst, ad->prealm);
+ return(retval);
+ }
+ if (fascist_cpw) {
+ *outlen = strlen(bad_pw_err)+strlen(pw_blurb)+1;
+ if (*datout = (u_char *) malloc(*outlen)) {
+ strcpy((char *) *datout, bad_pw_err);
+ strcat((char *) *datout, pw_blurb);
+ } else
+ *outlen = 0;
+ syslog(LOG_ERR, "'%s.%s@%s' tried to use an insecure password in changepw",
+ ad->pname, ad->pinst, ad->prealm);
+#ifdef notdef
+ /* For debugging only, probably a bad idea */
+ if (!no_pword)
+ (void) krb_log("The password was %s\n", pword);
+#endif
+ return(retval);
+ } else {
+ *outlen = strlen(bad_pw_warn) + strlen(pw_blurb)+1;
+ if (*datout = (u_char *) malloc(*outlen)) {
+ strcpy((char *) *datout, bad_pw_warn);
+ strcat((char *) *datout, pw_blurb);
+ } else
+ *outlen = 0;
+ syslog(LOG_ERR, "'%s.%s@%s' used an insecure password in changepw",
+ ad->pname, ad->pinst, ad->prealm);
+ }
+ } else {
+ *datout = 0;
+ *outlen = 0;
+ }
+
#ifdef KADM5
/* we don't use the client-provided key itself */
keylow = keyhigh = 0;
memset(newkey, 0, sizeof(newkey));
if (no_pword) {
- krb_log("Old-style change password request from '%s.%s@%s'!",
+ syslog(LOG_ERR, "Old-style change password request from '%s.%s@%s'!",
ad->pname, ad->pinst, ad->prealm);
*outlen = strlen(pw_required)+1;
if (*datout = (u_char *) malloc(*outlen)) {
@@ -184,6 +227,9 @@ int *outlen;
return KADM_INSECURE_PW;
}
+ syslog(LOG_INFO, "'%s.%s@%s' wants to change its password",
+ ad->pname, ad->pinst, ad->prealm);
+
if (krb5_build_principal(kadm_context, &user_princ,
strlen(ad->prealm),
ad->prealm,
@@ -269,54 +315,17 @@ send_response:
strcat(*datout, "\n");
} else
*outlen = 0;
+ } else {
+ syslog(LOG_INFO,
+ "'%s.%s@%s' password changed.",
+ ad->pname, ad->pinst, ad->prealm);
}
if (retval == KADM_INSECURE_PW) {
- krb_log("'%s.%s@%s' tried to use an insecure password in changepw",
+ syslog(LOG_ERR,
+ "'%s.%s@%s' tried to use an insecure password in changepw",
ad->pname, ad->pinst, ad->prealm);
}
#else /* KADM5 */
- if (retval = kadm_approve_pw(ad->pname, ad->pinst, ad->prealm,
- newkey, no_pword ? 0 : pword)) {
- if (retval == KADM_PW_MISMATCH) {
- /*
- * Very strange!!! This means that the cleartext
- * password which was sent and the DES cblock
- * didn't match!
- */
- (void) krb_log("'%s.%s@%s' sent a password string which didn't match with the DES key?!?",
- ad->pname, ad->pinst, ad->prealm);
- return(retval);
- }
- if (fascist_cpw) {
- *outlen = strlen(bad_pw_err)+strlen(pw_blurb)+1;
- if (*datout = (u_char *) malloc(*outlen)) {
- strcpy((char *) *datout, bad_pw_err);
- strcat((char *) *datout, pw_blurb);
- } else
- *outlen = 0;
- (void) krb_log("'%s.%s@%s' tried to use an insecure password in changepw",
- ad->pname, ad->pinst, ad->prealm);
-#ifdef notdef
- /* For debugging only, probably a bad idea */
- if (!no_pword)
- (void) krb_log("The password was %s\n", pword);
-#endif
- return(retval);
- } else {
- *outlen = strlen(bad_pw_warn) + strlen(pw_blurb)+1;
- if (*datout = (u_char *) malloc(*outlen)) {
- strcpy((char *) *datout, bad_pw_warn);
- strcat((char *) *datout, pw_blurb);
- } else
- *outlen = 0;
- (void) krb_log("'%s.%s@%s' used an insecure password in changepw",
- ad->pname, ad->pinst, ad->prealm);
- }
- } else {
- *datout = 0;
- *outlen = 0;
- }
-
retval = kadm_change(ad->pname, ad->pinst, ad->prealm, newkey);
keylow = keyhigh = 0;
memset(newkey, 0, sizeof(newkey));