1 /* $NetBSD: skeyinit.c,v 1.13 2000/07/07 00:18:29 mjl Exp $ */ 2 3 /* S/KEY v1.1b (skeyinit.c) 4 * 5 * Authors: 6 * Neil M. Haller <nmh@thumper.bellcore.com> 7 * Philip R. Karn <karn@chicago.qualcomm.com> 8 * John S. Walden <jsw@thumper.bellcore.com> 9 * Scott Chasin <chasin@crimelab.com> 10 * 11 * Modifications: 12 * Todd C. Miller <Todd.Miller@courtesan.com> 13 * 14 * S/KEY initialization and seed update 15 */ 16 17 #include <sys/param.h> 18 #include <sys/time.h> 19 #include <sys/resource.h> 20 21 #include <ctype.h> 22 #include <err.h> 23 #include <errno.h> 24 #include <fcntl.h> 25 #include <pwd.h> 26 #include <stdio.h> 27 #include <stdlib.h> 28 #include <string.h> 29 #include <time.h> 30 #include <unistd.h> 31 #include <utmp.h> 32 33 #include <skey.h> 34 35 #ifndef SKEY_NAMELEN 36 #define SKEY_NAMELEN 4 37 #endif 38 39 int main __P((int, char **)); 40 41 int main(int argc, char **argv) 42 { 43 int rval, nn, i, l; 44 int n = 0, defaultsetup = 1, zerokey = 0, hexmode = 0; 45 time_t now; 46 char hostname[MAXHOSTNAMELEN + 1]; 47 char seed[SKEY_MAX_PW_LEN+2], key[SKEY_BINKEY_SIZE], defaultseed[SKEY_MAX_SEED_LEN+1]; 48 char passwd[SKEY_MAX_PW_LEN+2], passwd2[SKEY_MAX_PW_LEN+2], tbuf[27], buf[80]; 49 char lastc, me[UT_NAMESIZE+1], *p, *pw, *ht = NULL; 50 const char *salt; 51 struct skey skey; 52 struct passwd *pp; 53 struct tm *tm; 54 int c; 55 56 if (geteuid() != 0) 57 errx(1, "must be setuid root."); 58 59 if (gethostname(hostname, sizeof(hostname)) < 0) 60 err(1, "gethostname"); 61 (void)strncpy(defaultseed, hostname, sizeof(defaultseed)- 1); 62 defaultseed[SKEY_NAMELEN] = '\0'; 63 (void)time(&now); 64 (void)sprintf(tbuf, "%05ld", (long) (now % 100000)); 65 (void)strncat(defaultseed, tbuf, sizeof(defaultseed) - 5); 66 67 if ((pp = getpwuid(getuid())) == NULL) 68 err(1, "no user with uid %ld", (u_long)getuid()); 69 (void)strncpy(me, pp->pw_name, sizeof(me) - 1); 70 71 if ((pp = getpwnam(me)) == NULL) 72 err(1, "Who are you?"); 73 salt = pp->pw_passwd; 74 75 while((c = getopt(argc, argv, "n:t:sxz")) != -1) { 76 switch(c) { 77 case 'n': 78 n = atoi(optarg); 79 if(n < 1 || n > SKEY_MAX_SEQ) 80 errx(1, "count must be between 1 and %d", SKEY_MAX_SEQ); 81 break; 82 case 't': 83 if(skey_set_algorithm(optarg) == NULL) 84 errx(1, "Unknown hash algorithm %s", optarg); 85 ht = optarg; 86 break; 87 case 's': 88 defaultsetup = 0; 89 break; 90 case 'x': 91 hexmode = 1; 92 break; 93 case 'z': 94 zerokey = 1; 95 break; 96 default: 97 err(1, "Usage: %s [-n count] [-t md4|md5|sha1] [-s] [-x] [-z] [user]\n", argv[0]); 98 } 99 } 100 101 if(argc > optind) { 102 pp = getpwnam(argv[optind]); 103 if (pp == NULL) 104 errx(1, "User %s unknown", argv[optind]); 105 } 106 107 if (strcmp(pp->pw_name, me) != 0) { 108 if (getuid() != 0) { 109 /* Only root can change other's passwds */ 110 errx(1, "Permission denied."); 111 } 112 } 113 114 if (getuid() != 0) { 115 pw = getpass("Password:"); 116 p = crypt(pw, salt); 117 118 if (strcmp(p, pp->pw_passwd)) { 119 errx(1, "Password incorrect."); 120 } 121 } 122 123 rval = skeylookup(&skey, pp->pw_name); 124 switch (rval) { 125 case -1: 126 err(1, "cannot open database"); 127 case 0: 128 /* comment out user if asked to */ 129 if (zerokey) 130 exit(skeyzero(&skey, pp->pw_name)); 131 132 printf("[Updating %s]\n", pp->pw_name); 133 printf("Old key: [%s] %s\n", skey_get_algorithm(), skey.seed); 134 135 /* 136 * lets be nice if they have a skey.seed that 137 * ends in 0-8 just add one 138 */ 139 l = strlen(skey.seed); 140 if (l > 0) { 141 lastc = skey.seed[l - 1]; 142 if (isdigit((unsigned char)lastc) && lastc != '9') { 143 (void)strncpy(defaultseed, skey.seed, 144 sizeof(defaultseed) - 1); 145 defaultseed[l - 1] = lastc + 1; 146 } 147 if (isdigit((unsigned char)lastc) && lastc == '9' && 148 l < 16) { 149 (void)strncpy(defaultseed, skey.seed, 150 sizeof(defaultseed) - 1); 151 defaultseed[l - 1] = '0'; 152 defaultseed[l] = '0'; 153 defaultseed[l + 1] = '\0'; 154 } 155 } 156 break; 157 case 1: 158 if (zerokey) 159 errx(1, "You have no entry to zero."); 160 printf("[Adding %s]\n", pp->pw_name); 161 break; 162 } 163 164 if(n==0) 165 n = 99; 166 167 /* Set hash type if asked to */ 168 if (ht) { 169 /* Need to zero out old key when changing algorithm */ 170 if (strcmp(ht, skey_get_algorithm()) && skey_set_algorithm(ht)) 171 zerokey = 1; 172 } 173 174 if (!defaultsetup) { 175 printf("You need the 6 english words generated from the \"skey\" command.\n"); 176 for (i = 0;; i++) { 177 if (i >= 2) 178 exit(1); 179 printf("Enter sequence count from 1 to %d: ", SKEY_MAX_SEQ); 180 fgets(buf, sizeof(buf), stdin); 181 n = atoi(buf); 182 if (n > 0 && n < SKEY_MAX_SEQ) 183 break; /* Valid range */ 184 printf("\nError: Count must be between 0 and %d\n", SKEY_MAX_SEQ); 185 } 186 187 for (i = 0;; i++) { 188 if (i >= 2) 189 exit(1); 190 191 printf("Enter new seed [default %s]: ", defaultseed); 192 fflush(stdout); 193 fgets(seed, sizeof(seed), stdin); 194 rip(seed); 195 for (p = seed; *p; p++) { 196 if (isalpha(*p)) { 197 if (isupper(*p)) 198 *p = tolower(*p); 199 } else if (!isdigit(*p)) { 200 (void)puts("Error: seed may only contain alphanumeric characters"); 201 break; 202 } 203 } 204 if (*p == '\0') 205 break; /* Valid seed */ 206 } 207 if (strlen(seed) > SKEY_MAX_SEED_LEN) { 208 printf("Notice: Seed truncated to %d characters.\n", SKEY_MAX_SEED_LEN); 209 seed[SKEY_MAX_SEED_LEN] = '\0'; 210 } 211 if (seed[0] == '\0') 212 (void)strcpy(seed, defaultseed); 213 214 for (i = 0;; i++) { 215 if (i >= 2) 216 exit(1); 217 218 printf("otp-%s %d %s\ns/key access password: ", 219 skey_get_algorithm(), n, seed); 220 fgets(buf, sizeof(buf), stdin); 221 rip(buf); 222 backspace(buf); 223 224 if (buf[0] == '?') { 225 puts("Enter 6 English words from secure S/Key calculation."); 226 continue; 227 } else if (buf[0] == '\0') { 228 exit(1); 229 } 230 if (etob(key, buf) == 1 || atob8(key, buf) == 0) 231 break; /* Valid format */ 232 (void)puts("Invalid format - try again with 6 English words."); 233 } 234 } else { 235 /* Get user's secret password */ 236 puts("Reminder - Only use this method if you are directly connected\n" 237 " or have an encrypted channel. If you are using telnet\n" 238 " or rlogin, exit with no password and use skeyinit -s.\n"); 239 240 for (i = 0;; i++) { 241 if (i >= 2) 242 exit(1); 243 244 printf("Enter secret password: "); 245 readpass(passwd, sizeof(passwd)); 246 if (passwd[0] == '\0') 247 exit(1); 248 249 if (strlen(passwd) < SKEY_MIN_PW_LEN) { 250 (void)fprintf(stderr, 251 "Your password must be at least %d characters long.\n", SKEY_MIN_PW_LEN); 252 continue; 253 } else if (strcmp(passwd, pp->pw_name) == 0) { 254 (void)fputs("Your password may not be the same as your user name.\n", stderr); 255 continue; 256 } 257 #if 0 258 else if (strspn(passwd, "abcdefghijklmnopqrstuvwxyz") == strlen(passwd)) { 259 (void)fputs("Your password must contain more than just lower case letters.\n" 260 "Whitespace, numbers, and puctuation are suggested.\n", stderr); 261 continue; 262 } 263 #endif 264 printf("Again secret password: "); 265 readpass(passwd2, sizeof(passwd)); 266 if (passwd2[0] == '\0') 267 exit(1); 268 269 if (strcmp(passwd, passwd2) == 0) 270 break; 271 272 puts("Passwords do not match."); 273 } 274 275 /* Crunch seed and password into starting key */ 276 (void)strcpy(seed, defaultseed); 277 if (keycrunch(key, seed, passwd) != 0) 278 err(2, "key crunch failed"); 279 nn = n; 280 while (nn-- != 0) 281 f(key); 282 } 283 (void)time(&now); 284 tm = localtime(&now); 285 (void)strftime(tbuf, sizeof(tbuf), " %b %d,%Y %T", tm); 286 287 if ((skey.val = (char *)malloc(16 + 1)) == NULL) 288 err(1, "Can't allocate memory"); 289 290 /* Zero out old key if necesary (entry would change size) */ 291 if (zerokey) { 292 (void)skeyzero(&skey, pp->pw_name); 293 /* Re-open keys file and seek to the end */ 294 if (skeylookup(&skey, pp->pw_name) == -1) 295 err(1, "cannot open database"); 296 } 297 298 btoa8(skey.val, key); 299 300 /* 301 * Obtain an exclusive lock on the key file so we don't 302 * clobber someone authenticating themselves at the same time. 303 */ 304 for (i = 0; i < 300; i++) { 305 if ((rval = flock(fileno(skey.keyfile), LOCK_EX|LOCK_NB)) == 0 306 || errno != EWOULDBLOCK) 307 break; 308 usleep(100000); /* Sleep for 0.1 seconds */ 309 } 310 if (rval == -1) { /* Can't get exclusive lock */ 311 errno = EAGAIN; 312 err(1, "cannot open database"); 313 } 314 315 /* Don't save algorithm type for md4 (keep record length same) */ 316 if (strcmp(skey_get_algorithm(), "md4") == 0) 317 (void)fprintf(skey.keyfile, "%s %04d %-16s %s %-21s\n", 318 pp->pw_name, n, seed, skey.val, tbuf); 319 else 320 (void)fprintf(skey.keyfile, "%s %s %04d %-16s %s %-21s\n", 321 pp->pw_name, skey_get_algorithm(), n, seed, skey.val, tbuf); 322 323 (void)fclose(skey.keyfile); 324 325 (void)printf("\nID %s skey is otp-%s %d %s\n", pp->pw_name, 326 skey_get_algorithm(), n, seed); 327 (void)printf("Next login password: %s\n\n", 328 hexmode ? put8(buf, key) : btoe(buf, key)); 329 330 return(0); 331 } 332