![[BACK]](/cvsweb/icons/back.gif){kind=icon}
Return to passwd.c CVS log ![[TXT]](/cvsweb/icons/text.gif){kind=icon}
![[DIR]](/cvsweb/icons/dir.gif){kind=icon}
Up to [CSRG BSD Unix] / 43BSDReno / usr.bin / passwd|
Return to passwd.c CVS log | Up to [CSRG BSD Unix] / 43BSDReno / usr.bin / passwd |
1.1 root 1: /*
2: * Copyright (c) 1988 The Regents of the University of California.
3: * All rights reserved.
4: *
5: * Redistribution and use in source and binary forms are permitted provided
6: * that: (1) source distributions retain this entire copyright notice and
7: * comment, and (2) distributions including binaries display the following
8: * acknowledgement: ``This product includes software developed by the
9: * University of California, Berkeley and its contributors'' in the
10: * documentation or other materials provided with the distribution and in
11: * all advertising materials mentioning features or use of this software.
12: * Neither the name of the University nor the names of its contributors may
13: * be used to endorse or promote products derived from this software without
14: * specific prior written permission.
15: * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
16: * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
17: * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
18: */
19:
20: #ifndef lint
21: char copyright[] =
22: "@(#) Copyright (c) 1988 The Regents of the University of California.\n\
23: All rights reserved.\n";
24: #endif /* not lint */
25:
26: #ifndef lint
27: static char sccsid[] = "@(#)passwd.c 4.42 (Berkeley) 6/19/90";
28: #endif /* not lint */
29:
30: #include <sys/param.h>
31: #include <sys/file.h>
32: #include <sys/signal.h>
33: #include <sys/time.h>
34: #include <sys/resource.h>
35: #include <sys/wait.h>
36: #include <errno.h>
37: #include <pwd.h>
38: #include <stdio.h>
39: #include <ctype.h>
40: #include <string.h>
41:
42: #ifdef KERBEROS
43: #include <sys/types.h>
44: #include <sys/socket.h>
45: #include <netinet/in.h>
46: #include <netdb.h>
47: #include <kerberosIV/des.h>
48: #include <kerberosIV/krb.h>
49: #include "kpasswd_proto.h"
50: int use_kerberos = 1;
51: #define ARGSTR "l"
52: #else
53: #define ARGSTR ""
54: #endif
55:
56: uid_t uid;
57:
58: main(argc, argv)
59: int argc;
60: char **argv;
61: {
62: register int ch;
63: extern int errno, optind;
64: extern char *optarg;
65: struct passwd *pw;
66: struct rlimit rlim;
67: FILE *temp_fp;
68: int fd;
69: char *fend, *np, *passwd, *temp, *tend, *uname;
70: char from[MAXPATHLEN], to[MAXPATHLEN];
71: char *getnewpasswd(), *getlogin();
72:
73: uid = getuid();
74: uname = getlogin();
75:
76: #ifdef KERBEROS
77: while ((ch = getopt(argc, argv, ARGSTR)) != EOF)
78: switch (ch) {
79: /* change local password file */
80: case 'l':
81: use_kerberos = 0;
82: break;
83: default:
84: case '?':
85: usage();
86: exit(1);
87: }
88:
89: argc -= optind;
90: argv += optind;
91: #endif
92:
93: switch(argc) {
94: case 0:
95: break;
96: case 1:
97: #ifdef KERBEROS
98: if (use_kerberos && (strcmp(argv[1],uname) != 0)) {
99: fprintf(stderr,
100: "must kinit to change another's password\n");
101: exit(1);
102: }
103: #endif
104: uname = argv[0];
105: break;
106: default:
107: usage();
108: exit(1);
109: }
110:
111: #ifdef KERBEROS
112: if (use_kerberos) {
113: exit(do_krb_passwd());
114: /* NOTREACHED */
115: }
116: #endif
117:
118: if (!(pw = getpwnam(uname))) {
119: fprintf(stderr, "passwd: unknown user %s.\n", uname);
120: exit(1);
121: }
122: if (uid && uid != pw->pw_uid) {
123: fprintf(stderr, "passwd: %s\n", strerror(EACCES));
124: exit(1);
125: }
126:
127: (void)signal(SIGHUP, SIG_IGN);
128: (void)signal(SIGINT, SIG_IGN);
129: (void)signal(SIGQUIT, SIG_IGN);
130: (void)signal(SIGTSTP, SIG_IGN);
131:
132: rlim.rlim_cur = rlim.rlim_max = RLIM_INFINITY;
133: (void)setrlimit(RLIMIT_CPU, &rlim);
134: (void)setrlimit(RLIMIT_FSIZE, &rlim);
135:
136: (void)umask(0);
137:
138: temp = _PATH_PTMP;
139: if ((fd = open(temp, O_WRONLY|O_CREAT|O_EXCL, 0600)) < 0) {
140: if (errno == EEXIST) {
141: fprintf(stderr,
142: "passwd: password file busy -- try again later.\n");
143: exit(0);
144: }
145: fprintf(stderr, "passwd: %s: %s", temp, strerror(errno));
146: goto bad;
147: }
148: if (!(temp_fp = fdopen(fd, "w"))) {
149: fprintf(stderr, "passwd: can't write %s", temp);
150: goto bad;
151: }
152: passwd = _PATH_MASTERPASSWD;
153: if (!freopen(passwd, "r", stdin)) {
154: fprintf(stderr, "passwd: can't read %s", passwd);
155: goto bad;
156: }
157:
158: printf("Changing local password for %s.\n", pw->pw_name);
159: np = getnewpasswd(pw, temp);
160:
161: if (!copy(pw->pw_name, np, temp_fp, pw))
162: goto bad;
163:
164: (void)fclose(temp_fp);
165: (void)fclose(stdin);
166:
167: switch(fork()) {
168: case 0:
169: break;
170: case -1:
171: fprintf(stderr, "passwd: can't fork");
172: goto bad;
173: /* NOTREACHED */
174: default:
175: exit(0);
176: /* NOTREACHED */
177: }
178:
179: if (makedb(temp)) {
180: fprintf(stderr, "passwd: mkpasswd failed");
181: bad: fprintf(stderr, "; password unchanged.\n");
182: (void)unlink(temp);
183: exit(1);
184: }
185:
186: /*
187: * possible race; have to rename four files, and someone could slip
188: * in between them. LOCK_EX and rename the ``passwd.dir'' file first
189: * so that getpwent(3) can't slip in; the lock should never fail and
190: * it's unclear what to do if it does. Rename ``ptmp'' last so that
191: * passwd/vipw/chpass can't slip in.
192: */
193: (void)setpriority(PRIO_PROCESS, 0, -20);
194: fend = strcpy(from, temp) + strlen(temp);
195: tend = strcpy(to, _PATH_PASSWD) + strlen(_PATH_PASSWD);
196: bcopy(".dir", fend, 5);
197: bcopy(".dir", tend, 5);
198: if ((fd = open(from, O_RDONLY, 0)) >= 0)
199: (void)flock(fd, LOCK_EX);
200: /* here we go... */
201: (void)rename(from, to);
202: bcopy(".pag", fend, 5);
203: bcopy(".pag", tend, 5);
204: (void)rename(from, to);
205: bcopy(".orig", fend, 6);
206: (void)rename(from, _PATH_PASSWD);
207: (void)rename(temp, passwd);
208: /* done! */
209: exit(0);
210: }
211:
212: copy(name, np, fp, pw)
213: char *name, *np;
214: FILE *fp;
215: struct passwd *pw;
216: {
217: register int done;
218: register char *p;
219: char buf[1024];
220:
221: for (done = 0; fgets(buf, sizeof(buf), stdin);) {
222: /* skip lines that are too big */
223: if (!index(buf, '\n')) {
224: fprintf(stderr, "passwd: line too long.\n");
225: return(0);
226: }
227: if (done) {
228: fprintf(fp, "%s", buf);
229: continue;
230: }
231: if (!(p = index(buf, ':'))) {
232: fprintf(stderr, "passwd: corrupted entry.\n");
233: return(0);
234: }
235: *p = '\0';
236: if (strcmp(buf, name)) {
237: *p = ':';
238: fprintf(fp, "%s", buf);
239: continue;
240: }
241: if (!(p = index(++p, ':'))) {
242: fprintf(stderr, "passwd: corrupted entry.\n");
243: return(0);
244: }
245: /*
246: * reset change time to zero; when classes are implemented,
247: * go and get the "offset" value for this class and reset
248: * the timer.
249: */
250: fprintf(fp, "%s:%s:%d:%d:%s:%ld:%ld:%s:%s:%s\n",
251: pw->pw_name, np, pw->pw_uid, pw->pw_gid,
252: pw->pw_class, 0L, pw->pw_expire, pw->pw_gecos,
253: pw->pw_dir, pw->pw_shell);
254: done = 1;
255: }
256: return(1);
257: }
258:
259: char *
260: getnewpasswd(pw, temp)
261: register struct passwd *pw;
262: char *temp;
263: {
264: register char *p, *t;
265: char buf[_PASSWORD_LEN+1], salt[2], *crypt(), *getpass();
266: int tries = 0;
267: time_t time();
268:
269: if (uid && pw->pw_passwd &&
270: strcmp(crypt(getpass("Old password:"), pw->pw_passwd),
271: pw->pw_passwd)) {
272: (void)printf("passwd: %s.\n", strerror(EACCES));
273: (void)unlink(temp);
274: exit(1);
275: }
276:
277: for (buf[0] = '\0';;) {
278: p = getpass("New password:");
279: if (!*p) {
280: (void)printf("Password unchanged.\n");
281: (void)unlink(temp);
282: exit(0);
283: }
284: if (strlen(p) <= 5 && (uid != 0 || tries++ < 2)) {
285: printf("Please enter a longer password.\n");
286: continue;
287: }
288: for (t = p; *t && islower(*t); ++t);
289: if (!*t && (uid != 0 || tries++ < 2)) {
290: printf("Please don't use an all-lower case password.\nUnusual capitalization, control characters or digits are suggested.\n");
291: continue;
292: }
293: (void)strcpy(buf, p);
294: if (!strcmp(buf, getpass("Retype new password:")))
295: break;
296: printf("Mismatch; try again, EOF to quit.\n");
297: }
298: /* grab a random printable character that isn't a colon */
299: (void)srandom((int)time((time_t *)NULL));
300: #ifdef NEWSALT
301: salt[0] = '_';
302: to64(&salt[1], (long)(29*25), 4);
303: to64(&salt[5], (long)random(), 4);
304: #else
305: to64(&salt[0], (long)random(), 2);
306: #endif
307: return(crypt(buf, salt));
308: }
309:
310: static unsigned char itoa64[] = /* 0..63 => ascii-64 */
311: "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
312:
313: to64(s, v, n)
314: register char *s;
315: register long v;
316: register int n;
317: {
318: while (--n >= 0) {
319: *s++ = itoa64[v&0x3f];
320: v >>= 6;
321: }
322: }
323:
324: makedb(file)
325: char *file;
326: {
327: union wait pstat;
328: pid_t pid, waitpid();
329:
330: if (!(pid = vfork())) {
331: execl(_PATH_MKPASSWD, "mkpasswd", "-p", file, NULL);
332: _exit(127);
333: }
334: return(waitpid(pid, &pstat, 0) == -1 ? -1 : pstat.w_status);
335: }
336:
337: usage()
338: {
339: #ifdef KERBEROS
340: fprintf(stderr, "usage: passwd [-l] user\n");
341: #else
342: fprintf(stderr, "usage: passwd user\n");
343: #endif
344: }
345:
346:
347: #ifdef KERBEROS
348: KTEXT_ST ticket;
349: long authopts = 0L;
350: Key_schedule random_schedule;
351: char realm[REALM_SZ], krbhst[MAX_HSTNM];
352: static struct kpasswd_data proto_data;
353: static des_cblock okey;
354: static Key_schedule osched;
355: int sock;
356: int finish();
357: #define PROTO "tcp"
358:
359: static struct timeval timeout = { CLIENT_KRB_TIMEOUT, 0 };
360:
361: do_krb_passwd()
362: {
363: struct servent *se;
364: struct hostent *host;
365: struct sockaddr_in sin;
366: int rval;
367: char pass[_PASSWORD_LEN], password[_PASSWORD_LEN];
368: fd_set readfds;
369: CREDENTIALS cred;
370:
371: static struct rlimit rl = { 0, 0 };
372:
373: (void)signal(SIGHUP, SIG_IGN);
374: (void)signal(SIGINT, SIG_IGN);
375: (void)signal(SIGTSTP, SIG_IGN);
376:
377: if (setrlimit(RLIMIT_CORE, &rl) < 0) {
378: perror("setrlimit");
379: return(1);
380: }
381:
382: if ((se = getservbyname(SERVICE, PROTO)) == NULL) {
383: fprintf(stderr, "couldn't find entry for service %s/%s\n",
384: SERVICE, PROTO);
385: return(1);
386: }
387:
388: if ((rval = krb_get_lrealm(realm,1)) != KSUCCESS) {
389: fprintf(stderr, "couldn't get local Kerberos realm: %s\n",
390: krb_err_txt[rval]);
391: return(1);
392: }
393:
394: if ((rval = krb_get_krbhst(krbhst, realm, 1)) != KSUCCESS) {
395: fprintf(stderr, "couldn't get Kerberos host: %s\n",
396: krb_err_txt[rval]);
397: return(1);
398: }
399:
400: if ((host = gethostbyname(krbhst)) == NULL) {
401: fprintf(stderr, "couldn't get host entry for krb host %s\n",
402: krbhst);
403: return(1);
404: }
405:
406: sin.sin_family = host->h_addrtype;
407: bcopy(host->h_addr, (char *) &sin.sin_addr, host->h_length);
408: sin.sin_port = se->s_port;
409:
410: if ((sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0) {
411: perror("socket");
412: return(1);
413: }
414:
415: if (connect(sock, (struct sockaddr *) &sin, sizeof(sin)) < 0) {
416: perror("connect");
417: close(sock);
418: return(1);
419: }
420:
421: rval = krb_sendauth(
422: authopts, /* NOT mutual */
423: sock,
424: &ticket, /* (filled in) */
425: SERVICE,
426: krbhst, /* instance (krbhst) */
427: realm, /* dest realm */
428: (u_long) getpid(), /* checksum */
429: NULL, /* msg data */
430: NULL, /* credentials */
431: NULL, /* schedule */
432: NULL, /* local addr */
433: NULL, /* foreign addr */
434: "KPWDV0.1"
435: );
436:
437:
438: if (rval != KSUCCESS) {
439: fprintf(stderr, "Kerberos sendauth error: %s\n",
440: krb_err_txt[rval]);
441: return(1);
442: }
443:
444: krb_get_cred("krbtgt", realm, realm, &cred);
445:
446: printf("Changing Kerberos password for %s.%s@%s.\n",
447: cred.pname, cred.pinst, realm);
448:
449: if (des_read_pw_string(pass,
450: sizeof(pass)-1, "Old Kerberos password:", 0)) {
451: fprintf(stderr,
452: "error reading old Kerberos password\n");
453: return(1);
454: }
455:
456: (void)des_string_to_key(pass, okey);
457: (void)des_key_sched(okey, osched);
458: (void)des_set_key(okey, osched);
459:
460: /* wait on the verification string */
461:
462: FD_ZERO(&readfds);
463: FD_SET(sock, &readfds);
464:
465: rval =
466: select(sock + 1, &readfds, (fd_set *) 0, (fd_set *) 0, &timeout);
467:
468: if ((rval < 1) || !FD_ISSET(sock, &readfds)) {
469: if(rval == 0) {
470: fprintf(stderr, "timed out (aborted)\n");
471: cleanup();
472: return(1);
473: }
474: fprintf(stderr, "select failed (aborted)\n");
475: cleanup();
476: return(1);
477: }
478:
479: /* read verification string */
480:
481: if (des_read(sock, &proto_data, sizeof(proto_data)) !=
482: sizeof(proto_data)) {
483: fprintf(stderr,
484: "couldn't read verification string (aborted)\n");
485: cleanup();
486: return(1);
487: }
488:
489: (void)signal(SIGHUP, finish);
490: (void)signal(SIGINT, finish);
491:
492: if (strcmp(SECURE_STRING, proto_data.secure_msg) != 0) {
493: cleanup();
494: /* don't complain loud if user just hit return */
495: if (pass == NULL || (!*pass))
496: return(0);
497: fprintf(stderr, "Sorry\n");
498: return(1);
499: }
500:
501: (void)des_key_sched(proto_data.random_key, random_schedule);
502: (void)des_set_key(proto_data.random_key, random_schedule);
503: (void)bzero(pass, sizeof(pass));
504:
505: if (des_read_pw_string(pass,
506: sizeof(pass)-1, "New Kerberos password:", 0)) {
507: fprintf(stderr,
508: "error reading new Kerberos password (aborted)\n");
509: cleanup();
510: return(1);
511: }
512:
513: if (des_read_pw_string(password,
514: sizeof(password)-1, "Retype new Kerberos password:", 0)) {
515: fprintf(stderr,
516: "error reading new Kerberos password (aborted)\n");
517: cleanup();
518: return(1);
519: }
520:
521: if (strcmp(password, pass) != 0) {
522: fprintf(stderr, "password mismatch (aborted)\n");
523: cleanup();
524: return(1);
525: }
526:
527: if (strlen(pass) == 0)
528: printf("using NULL password\n");
529:
530: send_update(sock, password, SECURE_STRING);
531:
532: /* wait for ACK */
533:
534: FD_ZERO(&readfds);
535: FD_SET(sock, &readfds);
536:
537: rval =
538: select(sock + 1, &readfds, (fd_set *) 0, (fd_set *) 0, &timeout);
539: if ((rval < 1) || !FD_ISSET(sock, &readfds)) {
540: if(rval == 0) {
541: fprintf(stderr, "timed out reading ACK (aborted)\n");
542: cleanup();
543: exit(1);
544: }
545: fprintf(stderr, "select failed (aborted)\n");
546: cleanup();
547: exit(1);
548: }
549:
550: recv_ack(sock);
551: cleanup();
552: exit(0);
553: }
554:
555: send_update(dest, pwd, str)
556: int dest;
557: char *pwd, *str;
558: {
559: static struct update_data ud;
560: strncpy(ud.secure_msg, str, _PASSWORD_LEN);
561: strncpy(ud.pw, pwd, sizeof(ud.pw));
562: if (des_write(dest, &ud, sizeof(ud)) != sizeof(ud)) {
563: fprintf(stderr, "couldn't write pw update (abort)\n");
564: bzero(ud, sizeof(ud));
565: cleanup();
566: exit(1);
567: }
568: }
569:
570: recv_ack(remote)
571: int remote;
572: {
573: int cc;
574: char buf[BUFSIZ];
575: cc = des_read(remote, buf, sizeof(buf));
576: if (cc <= 0) {
577: fprintf(stderr, "error reading acknowledgement (aborted)\n");
578: cleanup();
579: exit(1);
580: }
581: printf("%s", buf);
582: }
583:
584: cleanup()
585: {
586: (void)bzero(&proto_data, sizeof(proto_data));
587: (void)bzero(okey, sizeof(okey));
588: (void)bzero(osched, sizeof(osched));
589: (void)bzero(random_schedule, sizeof(random_schedule));
590: }
591:
592: finish()
593: {
594: (void)close(sock);
595: exit(1);
596: }
597:
598: #endif /* KERBEROS */
This archive runs on limited infrastructure. Preserving old code on modern bandwidth. Automated agents are requested to crawl responsibly.