![[BACK]](/cvsweb/icons/back.gif){kind=icon}
Return to secserver.c CVS log ![[TXT]](/cvsweb/icons/text.gif){kind=icon}
![[DIR]](/cvsweb/icons/dir.gif){kind=icon}
Up to [Research Unix] / researchv10dc / ipc / mgrs / oauthmgr|
Return to secserver.c CVS log | Up to [Research Unix] / researchv10dc / ipc / mgrs / oauthmgr |
1.1 root 1: #include "authmgr.h"
2:
3: char admins[128];
4: int max_failures = MAX_FAILURES;
5: struct disallow* badlist;
6: int pushed_ld;
7: int gnotflg = 0; /* set if we shouldn't ask for a new number */
8: int dconflg = 0; /* set if real dest is dcon/mesgdcon */
9: int usepasswd = 0; /* set if we should ignore the key file */
10:
11: char dialbuf[128];
12: char* dialstring; /* dialstring from CSOURCE params */
13: char physource[128]; /* the switch.mod.chan stuff from CSOURCE */
14: char srcid[128]=""; /* the first field in CSOURCE */
15: char username[16]=""; /* the user's login name from CSOURCE */
16: char eusername[30]=""; /* effective login name */
17: char nettype[16]; /* shouldn't get bigger than this */
18: char options[16] ;
19: char redialbuf[128] ;
20: char defsvc[16]=""; /* default service */
21: FILE *log=0; /* log file */
22:
23: struct secmap *secidlist; /* list of security ID mappings */
24:
25: #define MLIST_SIZE 10
26: regsubexp mlist[MLIST_SIZE]; /* a match list for regexec */
27:
28: char* SYNTAX = "authmgr: Syntax error at line %d of control file\n";
29: #define DCON_CHALLENGE "CH" /* the dcon challenge response */
30:
31: int init(); /*forward*/
32: extern struct keyinfo* getkeyinfo();
33: char *makesourceid(); /*forward*/
34: char *getenv();
35: char *getpass();
36:
37: /*
38: * security - an authentication server
39: *
40: * For a given user, this locates that user's key in the
41: * key database, challenges the user to encrypt some data,
42: * and compares that user's result with the result of
43: * encrypting the data with the user's real key. If the
44: * results are the same, the user is authenticated, otherwise,
45: * no.
46: */
47: main(argc, argv)
48: int argc;
49: char* argv[];
50: {
51: int i, rc;
52: char buf[128];
53: char logname[30], logtries[128];
54: char *bp, *dp;
55: struct keyinfo *kp;
56: unsigned data, l, r;
57: ipcinfo info;
58: struct tm *tm = localtime(time((long *) 0));
59: long now = tm->tm_mday + 100*(tm->tm_mon) + 10000*(tm->tm_yday);
60:
61: if(rc=init(argc, argv) != 0) {
62: puts("REFUSED");
63: exit(rc);
64: }
65:
66:
67: /* main protocol section */
68: for(i=0; i<max_failures; i++) {
69: if(dconflg || gnotflg) {
70: printf("%s", DCON_CHALLENGE);
71: if(safegets(buf, sizeof(buf)) == NULL)
72: exit(0);
73: logname[8] = '\0';
74: strncpy(logname, buf, 8);
75: kp = getkeyinfo(logname, usepasswd);
76: bp = (*kp->kt->chal)(kp);
77: if(bp)
78: printf("%s\n", bp); /* send the challenge */
79: else
80: putchar('\n');
81: if(safegets(buf, sizeof(buf)) == NULL)
82: exit(0);
83: } else {
84: if(*eusername != '\0') {
85: strcpy(logname, eusername);
86: *eusername = '\0';
87: printf("login: %s\n", logname);
88: } else {
89: printf("login: ");
90: if(safegets(logname, sizeof(logname)) == NULL || *logname == '\0')
91: exit(0);
92: }
93: kp = getkeyinfo(logname, usepasswd);
94: bp = (*kp->kt->chal)(kp);
95: if(bp) {
96: printf("Enter response code for %s: ", bp);
97: if(safegets(buf, sizeof(buf)) == NULL || buf[0] == '\0')
98: exit(0);
99: } else {
100: printf("Password: ");
101: readnoecho(buf, sizeof buf);
102: }
103: }
104: (void) strcat(logtries, logname);
105: (void) strcat(logtries, " ");
106: strcpy(eusername, logname);
107:
108: if((kp->expire >= now) && (*kp->kt->comp)(kp, buf) == 0) {
109: goto success;
110: }
111: }
112:
113: doadmin(logtries);
114: puts("REFUSED");
115: exit(1);
116: success:
117: /* if no dialstring, ask for one */
118: /* if dconflg is set, dialstring isn't 0 */
119: if(dialstring == 0 || *dialstring == 0) {
120: i = 0;
121: while(i < max_failures) {
122: printf("\nDestination please: ");
123: fflush(stdout);
124: if(safegets(dialbuf, sizeof dialbuf) == NULL)
125: exit(0);
126: dialstring = dialbuf;
127: while(*dialstring == ' ' || *dialstring == '\t')
128: *dialstring++;
129: for(dp = dialstring;
130: *dp != '\0' && *dp != ' ' && *dp != '\t'; dp++)
131: ;
132: *dp = '\0';
133: if(*dialstring != '\0')
134: break;
135: i++ ;
136: }
137: if(i == max_failures) {
138: puts("\nNo new dialstring. Goodbye.\n");
139: exit(1);
140: }
141: }
142:
143: if (gnotflg)
144: options[0] = 'U' ;
145: else
146: options[0] = '-' ;
147: options[1] = 0 ;
148:
149: /* using "dialstring", send a redial msg to mgr */
150: strcpy(redialbuf, options) ;
151: strcat(redialbuf, ">") ;
152: strcat(redialbuf, dialstring) ;
153:
154: info.rfd = -1;
155: info.cfd = 0; /* pass back fd 0 */
156: info.myname = NULL;
157: info.user = logname;
158: info.machine = "";
159: info.uid = info.gid = -1;
160: info.name = ipcpath(redialbuf, nettype, defsvc);
161: info.param = "light"; /* bogus */
162: info.flags = 0;
163: if (log != 0) {
164: lognow();
165: fprintf(log, "%s %s (%s) redialing to %s\n",
166: srcid, username, eusername, info.name);
167: fclose(log);
168: }
169: if(pushed_ld)
170: ioctl(0, FIOPOPLD, (void *)0);
171: if(ipcredial(&info) != 0)
172: ; /* should complain somehow! */
173: exit(0);
174: }
175:
176: int
177: init(ac, av)
178: int ac;
179: char* av[];
180: {
181: FILE* cf;
182: char line[128] ;
183: #define NFLDS 10
184: char *fld[NFLDS];
185: int l, i, j, errflg = 0;
186: struct disallow *d = 0, *dp;
187: struct secmap *sp, *slp = 0;
188: regexp *prog;
189: char *c, *c2 = 0;
190: char *cntlfile = CONTROL_FILE;
191: int seen_defmap = 0;
192: char *malloc();
193: extern char *optarg;
194: extern int optind;
195:
196: while((i = getopt(ac, av, "nf:")) != -1)
197: switch(i) {
198: case 'n':
199: gnotflg++;
200: break;
201: case 'f':
202: cntlfile = optarg;
203: break;
204: case '?':
205: errflg++;
206: break;
207: }
208: if(errflg) {
209: fprintf(stderr, "authmgr: bad arglist\n");
210: return 1;
211: }
212: strcpy(physource, "auth1.1.1.F");
213: chdir("/tmp"); /* in case of core dumps; I wanna find them */
214: c = getenv("CSOURCE");
215: if(c) {
216: /* this "knows" the format of a CSOURCE */
217: if(strncmp(c, "source=", 7) == 0) {
218: c += 7;
219: c2 = nettype;
220: while(*c != '!')
221: *c2++ = *c++;
222: *c2 = '\0';
223:
224: c++;
225: c2 = srcid;
226: while(*c != ' ')
227: *c2++ = *c++;
228: *c2 = '\0';
229: } else
230: strcpy(nettype, "dk"); /* XXX */
231:
232: while(c = strchr(c, ' ')) {
233: c++;
234: if(strncmp(c, "user=", 5) == 0) {
235: c += 5;
236: c2 = username;
237: i = 0;
238: while(*c != ' ') {
239: if(*c >= '0' && *c <= '9')
240: i++;
241: *c2++ = *c++;
242: }
243: *c2 = '\0';
244: c++;
245: /*
246: * ignore the user name if it's numeric or
247: * if it's the magic unknown user
248: */
249: if(i == strlen(username) || strcmp(username, "_unknown_") == 0)
250: username[0] = '\0';
251: }
252: if(strncmp(c, "line=", 5) == 0) {
253: strcpy(physource, c+5);
254: break;
255: }
256: }
257: }
258: strcpy(eusername, username);
259: c = getenv("CDEST");
260: if(c) {
261: strcpy(line, c);
262: c = line;
263: setfields("!");
264: i = getfields(c, fld, NFLDS);
265: if(i >= 4) {
266: /* check if it matches my service; if so, ignore it */
267: j = strlen(fld[2]);
268: if((i = strlen(fld[3])) <= j ||
269: strcmp(&fld[3][i-j], fld[2]) != 0) {
270: strcpy(dialbuf, fld[3]);
271: dialstring = dialbuf;
272: }
273: }
274: }
275:
276: if(dialstring != NULL) {
277: if((i = strlen(dialstring)) > 4 &&
278: strcmp(&dialstring[i-4], "dcon") == 0)
279: dconflg++;
280: }
281: if(!dconflg && !gnotflg)
282: printf("Security Authentication check\n\n");
283:
284: if((cf = fopen(cntlfile, "r")) == NULL) {
285: fprintf(stderr, "authmgr: No control file\n");
286: return 2;
287: }
288:
289: setfields(" \t");
290: l = 0;
291: while(fgets(line, 128, cf) != NULL) {
292: l++;
293: for(i=0; line[i] == ' ' || line[i] == '\t'; i++)
294: ;
295: if(line[i] == '#') /* ignore comments */
296: continue;
297: if((c = strchr(&line[i], '\n')) != NULL) /* strip newline */
298: *c = '\0';
299:
300: i = getmfields(&line[i], fld, NFLDS);
301: if(i == 0) /* blank line */
302: continue;
303:
304: if(strcmp(fld[0], "admin") == 0) {
305: if(i < 2) {
306: fprintf(stderr, SYNTAX, l);
307: return 3;
308: }
309: (void) strcpy(admins, fld[1]);
310: for(j=2; j<i; j++) {
311: strcat(admins, " ");
312: strcat(admins, fld[j]);
313: }
314: } else if(strcmp(fld[0], "failures") == 0) {
315: if(i != 2 || (max_failures = atoi(fld[1])) < 3) {
316: fprintf(stderr, SYNTAX, l);
317: return 4;
318: }
319: } else if(strcmp(fld[0], "disallow") == 0) {
320: if(i != 2) {
321: fprintf(stderr, SYNTAX, l);
322: return 5;
323: }
324: dp = (struct disallow*) malloc(sizeof(struct disallow));
325: if(dp == 0) {
326: fprintf(stderr, "authmgr: out of memory\n");
327: return 6;
328: }
329: (void) strncpy(dp->logname, fld[1], 8);
330: dp->logname[8] = '\0';
331: dp->next = NULL;
332: if(d == 0) {
333: badlist = d = dp;
334: } else {
335: d->next = dp;
336: d = dp;
337: }
338: } else if(strcmp(fld[0], "usepasswd") == 0) {
339: if(i != 2) {
340: fprintf(stderr, SYNTAX, l);
341: return 7;
342: }
343: if((prog = regcomp(fld[1])) == NULL) {
344: fprintf(stderr, SYNTAX, l);
345: free((char*)prog);
346: return 8;
347: }
348: if(regexec(prog, srcid, mlist, MLIST_SIZE) != 0) {
349: usepasswd++;
350: }
351: } else if(strcmp(fld[0], "setuser") == 0) {
352: if((i < 2) | (i > 3)) {
353: fprintf(stderr, SYNTAX, l);
354: return 9;
355: }
356: if((prog = regcomp(fld[1])) == NULL) {
357: fprintf(stderr, SYNTAX, l);
358: free((char*)prog);
359: return 10;
360: }
361: if(regexec(prog, srcid, mlist, MLIST_SIZE) != 0) {
362: if (i == 2)
363: eusername[0] = '\0';
364: else {
365: strncpy(eusername, fld[2], 8);
366: eusername[8] = '\0';
367: }
368: }
369: } else if(strcmp(fld[0], "setsvc") == 0) {
370: if(i != 3) {
371: fprintf(stderr, SYNTAX, l);
372: return 11;
373: }
374: if((prog = regcomp(fld[1])) == NULL) {
375: fprintf(stderr, SYNTAX, l);
376: free((char*)prog);
377: return 12;
378: }
379: if(regexec(prog, srcid, mlist, MLIST_SIZE) == 0)
380: continue;
381: strncpy(defsvc, fld[2], 16);
382: defsvc[16]='\0';
383: } else if(strcmp(fld[0], "setlog") == 0) {
384: if(i != 3) {
385: fprintf(stderr, SYNTAX, l);
386: return 13;
387: }
388: if((prog = regcomp(fld[1])) == NULL) {
389: fprintf(stderr, SYNTAX, l);
390: free((char*)prog);
391: return 13;
392: }
393: if(regexec(prog, srcid, mlist, MLIST_SIZE) == 0)
394: continue;
395: if((log = fopen(fld[2], "a")) == NULL) {
396: fprintf(stderr, "Can't open log file %s\n", fld[2]);
397: return 20;
398: }
399: } else if(strcmp(fld[0], "secidmap") == 0) {
400: if(i != 3) {
401: fprintf(stderr, SYNTAX, l);
402: return 14;
403: }
404: sp = (struct secmap*) malloc(sizeof(struct secmap));
405: if(strcmp(fld[1], ".*") == 0)
406: seen_defmap = 1;
407: else if(seen_defmap) {
408: fprintf(stderr, "authmgr: Warning; default secidmap is not last secidmap at line %d\n", l);
409: free((char *)sp);
410: continue;
411: }
412: if((sp->prog = regcomp(fld[1])) == NULL) {
413: fprintf(stderr, SYNTAX, l);
414: free((char *)sp);
415: return 15;
416: }
417: if(slp == 0)
418: slp = secidlist = sp;
419: else {
420: slp->next = sp;
421: slp = sp;
422: }
423: slp->secid = strdup(fld[2]);
424: slp->next = NULL;
425: } else {
426: fprintf(stderr, SYNTAX, l);
427: return 16;
428: }
429: }
430: if(!seen_defmap) {
431: fprintf(stderr, "authmgr: No default ID configured. Help!\n");
432: return 17;
433: }
434: if(!dconflg && !gnotflg) {
435: struct tchars tcbuf;
436: extern int tty_ld;
437: /* make sure interface is usable by humans */
438: if(ioctl(0, TIOCGETC, &tcbuf) < 0) {
439: /* no tty ld (of any type) present; push one */
440: if(ioctl(0, FIOPUSHLD, &tty_ld) < 0)
441: printf("No tty processing supported; sorry\n");
442: pushed_ld++;
443: }
444: }
445: return 0;
446: }
447:
448: char*
449: makesourceid()
450: {
451: static char sbuf[128];
452: struct secmap *sp = secidlist;
453:
454: while(sp != NULL) {
455: if(regexec(sp->prog, srcid, mlist, MLIST_SIZE) != 0) {
456: sprintf(sbuf, "%s.%s", sp->secid, physource);
457: return sbuf;
458: }
459: sp = sp->next;
460: }
461: }
462:
463: readnoecho(rbuf, n)
464: char *rbuf;
465: int n;
466: {
467: struct sgttyb sg, noecho;
468: int failed = 0;
469:
470: failed = ioctl(0, TIOCGETP, &sg);
471: if(failed >= 0) {
472: noecho = sg;
473: noecho.sg_flags &= ~ECHO;
474: ioctl(0, TIOCSETP, &noecho);
475: }
476: safegets(rbuf, n);
477: if(failed >= 0)
478: ioctl(0, TIOCSETP, &sg);
479: }
480:
481: void
482: regerror(msg)
483: char *msg;
484: {
485: fprintf(stderr, "authmgr: %s\n", msg);
486: return;
487: }
488:
489: #include <utsname.h>
490:
491: /*
492: * doadmin -
493: * do whatever administrative muck is necessary when a login
494: * fails to authenticate itself after max_failures tries.
495: */
496: doadmin(logname)
497: char* logname;
498: {
499: char buf[256];
500: FILE* f;
501: struct utsname un;
502:
503: if (log != NULL) {
504: lognow();
505: fprintf(log, "%s %s (%s) failed\n",
506: srcid, username, eusername);
507: fclose(log);
508: }
509:
510: (void) uname(&un);
511: sprintf(buf, "/bin/mail %s", admins);
512: if((f = popen(buf, "w")) == NULL)
513: return; /* XXX */
514:
515: fprintf(f, "\
516: Subject: security alert from server %s\n\
517: \n\
518: The login(s) ``%s'' failed to correctly authenticate\n\
519: itself after %d consecutive attempts.\n\
520: The source of the attempts was:\n\
521: %s\n\
522: Recommendation: disable and investigate the login(s).\n",
523: un.nodename, logname, max_failures, getenv("CSOURCE"));
524:
525: (void) pclose(f);
526: }
527:
528:
529: /*
530: * a safe version of gets
531: */
532: safegets(bp, n)
533: char *bp;
534: int n;
535: {
536: char *cp;
537:
538: if(fgets(bp, n, stdin)==NULL)
539: return NULL;
540: for(cp=bp; *cp; cp++)
541: if(*cp=='\r' || *cp =='\n'){
542: *cp = 0;
543: break;
544: }
545: return bp;
546: }
547:
548: lognow()
549: {
550: struct tm *now;
551: long seconds;
552:
553: (void) time(&seconds);
554: now = localtime(&seconds);
555: fprintf(log, "%02d/%02d %02d:%02d:%02d ",
556: now->tm_mon+1, now->tm_mday,
557: now->tm_hour, now->tm_min, now->tm_sec);
558: }
This archive runs on limited infrastructure. Preserving old code on modern bandwidth. Automated agents are requested to crawl responsibly.