* Copyright (c) 1990, 1993
* The Regents of the University of California. All rights reserved.
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. All advertising materials mentioning features or use of this software
* must display the following acknowledgement:
* This product includes software developed by the University of
* California, Berkeley and its contributors.
* 4. Neither the name of the University nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
* THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
static char copyright
[] =
"@(#) Copyright (c) 1990, 1993\n\
The Regents of the University of California. All rights reserved.\n";
static char sccsid
[] = "@(#)kpasswdd.c 8.1 (Berkeley) 6/4/93";
* kpasswdd - update a principal's passwd field in the Kerberos
* database. Called from inetd.
#include <sys/resource.h>
#include <kerberosIV/des.h>
#include <kerberosIV/krb.h>
#include <kerberosIV/krb_db.h>
#include "kpasswd_proto.h"
static struct kpasswd_data kpwd_data
;
static des_cblock master_key
, key
;
static Key_schedule master_key_schedule
,
key_schedule
, random_sched
;
static Principal principal_data
;
static struct update_data ud_data
;
char *progname
; /* for the library */
struct sockaddr_in foreign
;
int foreign_len
= sizeof(foreign
);
static char name
[] = "kpasswdd";
static struct rlimit rl
= { 0, 0 };
openlog("kpasswdd", LOG_CONS
| LOG_PID
, LOG_AUTH
);
signal(SIGTSTP
, SIG_IGN
);
if (setrlimit(RLIMIT_CORE
, &rl
) < 0) {
syslog(LOG_ERR
, "setrlimit: %m");
if (getpeername(0, &foreign
, &foreign_len
) < 0) {
syslog(LOG_ERR
,"getpeername: %m");
0L, /* options--!MUTUAL */
&ticket
, /* client's ticket */
SERVICE
, /* expected service */
inst
, /* expected instance */
&foreign
, /* foreign addr */
(struct sockaddr_in
*) 0, /* local addr */
&kdata
, /* returned krb data */
"", /* service keys file */
(bit_64
*) NULL
, /* returned key schedule */
syslog(LOG_NOTICE
, "krb_recvauth: %s", krb_err_txt
[rval
]);
/* indicates error on client's side (no tickets, etc.) */
} else if (strcmp(version
, "KPWDV0.1") != 0) {
"kpasswdd version conflict (recv'd %s)",
if (kdb_get_master_key(0, master_key
, master_key_schedule
) != 0) {
syslog(LOG_ERR
, "couldn't get master key");
mkeyversion
= kdb_get_master_key(NULL
, master_key
, master_key_schedule
);
syslog(LOG_NOTICE
, "couldn't verify master key");
rval
= kerb_get_principal(
"error retrieving principal record for %s.%s",
kdata
.pname
, kdata
.pinst
);
if (rval
!= 1 || (more
!= 0)) {
syslog(LOG_NOTICE
, "more than 1 dbase entry for %s.%s",
kdata
.pname
, kdata
.pinst
);
bcopy(&principal_data
.key_low
, key
, 4);
bcopy(&principal_data
.key_high
, ((long *) key
) + 1, 4);
kdb_encrypt_key(key
, key
, master_key
, master_key_schedule
,
key_sched(key
, key_schedule
);
des_set_key(key
, key_schedule
);
/* get random key and send it over {random} Kperson */
random_key(kpwd_data
.random_key
);
strcpy(kpwd_data
.secure_msg
, SECURE_STRING
);
if (des_write(0, &kpwd_data
, sizeof(kpwd_data
)) != sizeof(kpwd_data
)) {
syslog(LOG_NOTICE
, "error writing initial data");
bzero(key_schedule
, sizeof(key_schedule
));
/* now read update info: { info }Krandom */
key_sched(kpwd_data
.random_key
, random_sched
);
des_set_key(kpwd_data
.random_key
, random_sched
);
if (des_read(0, &ud_data
, sizeof(ud_data
)) != sizeof(ud_data
)) {
syslog(LOG_NOTICE
, "update aborted");
/* validate info string by looking at the embedded string */
if (strcmp(ud_data
.secure_msg
, SECURE_STRING
) != 0) {
syslog(LOG_NOTICE
, "invalid update from %s",
inet_ntoa(foreign
.sin_addr
));
/* produce the new key entry in the database { key }Kmaster */
string_to_key(ud_data
.pw
, key
);
kdb_encrypt_key(key
, key
,
master_key
, master_key_schedule
,
bcopy(key
, &principal_data
.key_low
, 4);
bcopy(((long *) key
) + 1,
&principal_data
.key_high
, 4);
principal_data
.key_version
++;
if (kerb_put_principal(&principal_data
, 1)) {
syslog(LOG_ERR
, "couldn't write new record for %s.%s",
principal_data
.name
, principal_data
.instance
);
syslog(LOG_NOTICE
,"wrote new password field for %s.%s from %s",
inet_ntoa(foreign
.sin_addr
)
send_ack(0, "Update complete.\n");
bzero(&kpwd_data
, sizeof(kpwd_data
));
bzero(master_key
, sizeof(master_key
));
bzero(master_key_schedule
, sizeof(master_key_schedule
));
bzero(key_schedule
, sizeof(key_schedule
));
bzero(random_sched
, sizeof(random_sched
));
bzero(&principal_data
, sizeof(principal_data
));
bzero(&ud_data
, sizeof(ud_data
));
cc
= des_write(remote
, msg
, strlen(msg
) + 1);
syslog(LOG_NOTICE
, "error writing ack");