1 /* $NetBSD: skeyinit.c,v 1.17 2002/04/23 06:10:42 itohy Exp $ */ 2 3 /* S/KEY v1.1b (skeyinit.c) 4 * 5 * Authors: 6 * Neil M. Haller <nmh@thumper.bellcore.com> 7 * Philip R. Karn <karn@chicago.qualcomm.com> 8 * John S. Walden <jsw@thumper.bellcore.com> 9 * Scott Chasin <chasin@crimelab.com> 10 * 11 * Modifications: 12 * Todd C. Miller <Todd.Miller@courtesan.com> 13 * 14 * S/KEY initialization and seed update 15 */ 16 17 #include <sys/param.h> 18 #include <sys/time.h> 19 #include <sys/resource.h> 20 21 #include <ctype.h> 22 #include <err.h> 23 #include <errno.h> 24 #include <fcntl.h> 25 #include <paths.h> 26 #include <pwd.h> 27 #include <stdio.h> 28 #include <stdlib.h> 29 #include <string.h> 30 #include <time.h> 31 #include <unistd.h> 32 #include <utmp.h> 33 34 #include <skey.h> 35 36 #ifndef SKEY_NAMELEN 37 #define SKEY_NAMELEN 4 38 #endif 39 40 int main __P((int, char **)); 41 42 int main(int argc, char **argv) 43 { 44 int rval, nn, i, l; 45 int n = 0, defaultsetup = 1, zerokey = 0, hexmode = 0; 46 time_t now; 47 char hostname[MAXHOSTNAMELEN + 1]; 48 char seed[SKEY_MAX_PW_LEN+2], key[SKEY_BINKEY_SIZE], defaultseed[SKEY_MAX_SEED_LEN+1]; 49 char passwd[SKEY_MAX_PW_LEN+2], passwd2[SKEY_MAX_PW_LEN+2], tbuf[27], buf[80]; 50 char lastc, me[UT_NAMESIZE+1], *p, *pw, *ht = NULL; 51 const char *salt; 52 struct skey skey; 53 struct passwd *pp; 54 struct tm *tm; 55 int c; 56 57 /* 58 * Make sure using stdin/stdout/stderr is safe 59 * after opening any file. 60 */ 61 i = open(_PATH_DEVNULL, O_RDWR); 62 while (i >= 0 && i < 2) 63 i = dup(i); 64 if (i > 2) 65 close(i); 66 67 if (geteuid() != 0) 68 errx(1, "must be setuid root."); 69 70 if (gethostname(hostname, sizeof(hostname)) < 0) 71 err(1, "gethostname"); 72 73 /* 74 * Copy the hostname into the default seed, eliminating any 75 * non alpha-numeric characters. 76 */ 77 for (i = 0, l = 0; l < sizeof(defaultseed); i++) { 78 if (hostname[i] == '\0') { 79 defaultseed[l] = hostname[i]; 80 break; 81 } 82 if (isalnum(hostname[i])) 83 defaultseed[l++] = hostname[i]; 84 } 85 86 defaultseed[SKEY_NAMELEN] = '\0'; 87 (void)time(&now); 88 (void)sprintf(tbuf, "%05ld", (long) (now % 100000)); 89 (void)strncat(defaultseed, tbuf, sizeof(defaultseed) - 5); 90 91 if ((pp = getpwuid(getuid())) == NULL) 92 err(1, "no user with uid %ld", (u_long)getuid()); 93 (void)strncpy(me, pp->pw_name, sizeof(me) - 1); 94 me[sizeof(me) - 1] = '\0'; 95 96 if ((pp = getpwnam(me)) == NULL) 97 err(1, "Who are you?"); 98 salt = pp->pw_passwd; 99 100 while((c = getopt(argc, argv, "n:t:sxz")) != -1) { 101 switch(c) { 102 case 'n': 103 n = atoi(optarg); 104 if(n < 1 || n > SKEY_MAX_SEQ) 105 errx(1, "count must be between 1 and %d", SKEY_MAX_SEQ); 106 break; 107 case 't': 108 if(skey_set_algorithm(optarg) == NULL) 109 errx(1, "Unknown hash algorithm %s", optarg); 110 ht = optarg; 111 break; 112 case 's': 113 defaultsetup = 0; 114 break; 115 case 'x': 116 hexmode = 1; 117 break; 118 case 'z': 119 zerokey = 1; 120 break; 121 default: 122 err(1, "Usage: %s [-n count] [-t md4|md5|sha1] [-s] [-x] [-z] [user]\n", argv[0]); 123 } 124 } 125 126 if(argc > optind) { 127 pp = getpwnam(argv[optind]); 128 if (pp == NULL) 129 errx(1, "User %s unknown", argv[optind]); 130 } 131 132 if (strcmp(pp->pw_name, me) != 0) { 133 if (getuid() != 0) { 134 /* Only root can change other's passwds */ 135 errx(1, "Permission denied."); 136 } 137 } 138 139 if (getuid() != 0) { 140 pw = getpass("Password:"); 141 p = crypt(pw, salt); 142 143 if (strcmp(p, pp->pw_passwd)) { 144 errx(1, "Password incorrect."); 145 } 146 } 147 148 rval = skeylookup(&skey, pp->pw_name); 149 switch (rval) { 150 case -1: 151 err(1, "cannot open database"); 152 case 0: 153 /* comment out user if asked to */ 154 if (zerokey) 155 exit(skeyzero(&skey, pp->pw_name)); 156 157 printf("[Updating %s]\n", pp->pw_name); 158 printf("Old key: [%s] %s\n", skey_get_algorithm(), skey.seed); 159 160 /* 161 * lets be nice if they have a skey.seed that 162 * ends in 0-8 just add one 163 */ 164 l = strlen(skey.seed); 165 if (l > 0) { 166 lastc = skey.seed[l - 1]; 167 if (isdigit((unsigned char)lastc) && lastc != '9') { 168 (void)strncpy(defaultseed, skey.seed, 169 sizeof(defaultseed) - 1); 170 defaultseed[l - 1] = lastc + 1; 171 } 172 if (isdigit((unsigned char)lastc) && lastc == '9' && 173 l < 16) { 174 (void)strncpy(defaultseed, skey.seed, 175 sizeof(defaultseed) - 1); 176 defaultseed[l - 1] = '0'; 177 defaultseed[l] = '0'; 178 defaultseed[l + 1] = '\0'; 179 } 180 } 181 break; 182 case 1: 183 if (zerokey) 184 errx(1, "You have no entry to zero."); 185 printf("[Adding %s]\n", pp->pw_name); 186 break; 187 } 188 189 if(n==0) 190 n = 99; 191 192 /* Set hash type if asked to */ 193 if (ht) { 194 /* Need to zero out old key when changing algorithm */ 195 if (strcmp(ht, skey_get_algorithm()) && skey_set_algorithm(ht)) 196 zerokey = 1; 197 } 198 199 if (!defaultsetup) { 200 printf("You need the 6 english words generated from the \"skey\" command.\n"); 201 for (i = 0;; i++) { 202 if (i >= 2) 203 exit(1); 204 printf("Enter sequence count from 1 to %d: ", SKEY_MAX_SEQ); 205 fgets(buf, sizeof(buf), stdin); 206 n = atoi(buf); 207 if (n > 0 && n < SKEY_MAX_SEQ) 208 break; /* Valid range */ 209 printf("\nError: Count must be between 0 and %d\n", SKEY_MAX_SEQ); 210 } 211 212 for (i = 0;; i++) { 213 if (i >= 2) 214 exit(1); 215 216 printf("Enter new seed [default %s]: ", defaultseed); 217 fflush(stdout); 218 fgets(seed, sizeof(seed), stdin); 219 rip(seed); 220 for (p = seed; *p; p++) { 221 if (isalpha(*p)) { 222 if (isupper(*p)) 223 *p = tolower(*p); 224 } else if (!isdigit(*p)) { 225 (void)puts("Error: seed may only contain alphanumeric characters"); 226 break; 227 } 228 } 229 if (*p == '\0') 230 break; /* Valid seed */ 231 } 232 if (strlen(seed) > SKEY_MAX_SEED_LEN) { 233 printf("Notice: Seed truncated to %d characters.\n", SKEY_MAX_SEED_LEN); 234 seed[SKEY_MAX_SEED_LEN] = '\0'; 235 } 236 if (seed[0] == '\0') 237 (void)strcpy(seed, defaultseed); 238 239 for (i = 0;; i++) { 240 if (i >= 2) 241 exit(1); 242 243 printf("otp-%s %d %s\ns/key access password: ", 244 skey_get_algorithm(), n, seed); 245 fgets(buf, sizeof(buf), stdin); 246 rip(buf); 247 backspace(buf); 248 249 if (buf[0] == '?') { 250 puts("Enter 6 English words from secure S/Key calculation."); 251 continue; 252 } else if (buf[0] == '\0') { 253 exit(1); 254 } 255 if (etob(key, buf) == 1 || atob8(key, buf) == 0) 256 break; /* Valid format */ 257 (void)puts("Invalid format - try again with 6 English words."); 258 } 259 } else { 260 /* Get user's secret password */ 261 puts("Reminder - Only use this method if you are directly connected\n" 262 " or have an encrypted channel. If you are using telnet\n" 263 " or rlogin, exit with no password and use skeyinit -s.\n"); 264 265 for (i = 0;; i++) { 266 if (i >= 2) 267 exit(1); 268 269 printf("Enter secret password: "); 270 readpass(passwd, sizeof(passwd)); 271 if (passwd[0] == '\0') 272 exit(1); 273 274 if (strlen(passwd) < SKEY_MIN_PW_LEN) { 275 (void)fprintf(stderr, 276 "Your password must be at least %d characters long.\n", SKEY_MIN_PW_LEN); 277 continue; 278 } else if (strcmp(passwd, pp->pw_name) == 0) { 279 (void)fputs("Your password may not be the same as your user name.\n", stderr); 280 continue; 281 } 282 #if 0 283 else if (strspn(passwd, "abcdefghijklmnopqrstuvwxyz") == strlen(passwd)) { 284 (void)fputs("Your password must contain more than just lower case letters.\n" 285 "Whitespace, numbers, and puctuation are suggested.\n", stderr); 286 continue; 287 } 288 #endif 289 printf("Again secret password: "); 290 readpass(passwd2, sizeof(passwd)); 291 if (passwd2[0] == '\0') 292 exit(1); 293 294 if (strcmp(passwd, passwd2) == 0) 295 break; 296 297 puts("Passwords do not match."); 298 } 299 300 /* Crunch seed and password into starting key */ 301 (void)strcpy(seed, defaultseed); 302 if (keycrunch(key, seed, passwd) != 0) 303 err(2, "key crunch failed"); 304 nn = n; 305 while (nn-- != 0) 306 f(key); 307 } 308 (void)time(&now); 309 tm = localtime(&now); 310 (void)strftime(tbuf, sizeof(tbuf), " %b %d,%Y %T", tm); 311 312 if ((skey.val = (char *)malloc(16 + 1)) == NULL) 313 err(1, "Can't allocate memory"); 314 315 /* Zero out old key if necessary (entry would change size) */ 316 if (zerokey) { 317 (void)skeyzero(&skey, pp->pw_name); 318 /* Re-open keys file and seek to the end */ 319 if (skeylookup(&skey, pp->pw_name) == -1) 320 err(1, "cannot open database"); 321 } 322 323 btoa8(skey.val, key); 324 325 /* 326 * Obtain an exclusive lock on the key file so we don't 327 * clobber someone authenticating themselves at the same time. 328 */ 329 for (i = 0; i < 300; i++) { 330 if ((rval = flock(fileno(skey.keyfile), LOCK_EX|LOCK_NB)) == 0 331 || errno != EWOULDBLOCK) 332 break; 333 usleep(100000); /* Sleep for 0.1 seconds */ 334 } 335 if (rval == -1) { /* Can't get exclusive lock */ 336 errno = EAGAIN; 337 err(1, "cannot open database"); 338 } 339 340 /* Don't save algorithm type for md4 (keep record length same) */ 341 if (strcmp(skey_get_algorithm(), "md4") == 0) 342 (void)fprintf(skey.keyfile, "%s %04d %-16s %s %-21s\n", 343 pp->pw_name, n, seed, skey.val, tbuf); 344 else 345 (void)fprintf(skey.keyfile, "%s %s %04d %-16s %s %-21s\n", 346 pp->pw_name, skey_get_algorithm(), n, seed, skey.val, tbuf); 347 348 (void)fclose(skey.keyfile); 349 350 (void)printf("\nID %s skey is otp-%s %d %s\n", pp->pw_name, 351 skey_get_algorithm(), n, seed); 352 (void)printf("Next login password: %s\n\n", 353 hexmode ? put8(buf, key) : btoe(buf, key)); 354 355 return(0); 356 } 357