xref: /netbsd-src/usr.bin/skeyinit/skeyinit.c (revision 8a8f936f250a330d54f8a24ed0e92aadf9743a7b) 
1 /*	$NetBSD: skeyinit.c,v 1.16 2001/07/24 16:43:03 wiz Exp $	*/
2 
3 /* S/KEY v1.1b (skeyinit.c)
4  *
5  * Authors:
6  *          Neil M. Haller <nmh@thumper.bellcore.com>
7  *          Philip R. Karn <karn@chicago.qualcomm.com>
8  *          John S. Walden <jsw@thumper.bellcore.com>
9  *          Scott Chasin <chasin@crimelab.com>
10  *
11  * Modifications:
12  *          Todd C. Miller <Todd.Miller@courtesan.com>
13  *
14  * S/KEY initialization and seed update
15  */
16 
17 #include <sys/param.h>
18 #include <sys/time.h>
19 #include <sys/resource.h>
20 
21 #include <ctype.h>
22 #include <err.h>
23 #include <errno.h>
24 #include <fcntl.h>
25 #include <pwd.h>
26 #include <stdio.h>
27 #include <stdlib.h>
28 #include <string.h>
29 #include <time.h>
30 #include <unistd.h>
31 #include <utmp.h>
32 
33 #include <skey.h>
34 
35 #ifndef SKEY_NAMELEN
36 #define SKEY_NAMELEN    4
37 #endif
38 
39 int main __P((int, char **));
40 
41 int main(int argc, char **argv)
42 {
43 	int     rval, nn, i, l;
44 	int n = 0, defaultsetup = 1, zerokey = 0, hexmode = 0;
45 	time_t  now;
46 	char	hostname[MAXHOSTNAMELEN + 1];
47 	char    seed[SKEY_MAX_PW_LEN+2], key[SKEY_BINKEY_SIZE], defaultseed[SKEY_MAX_SEED_LEN+1];
48 	char    passwd[SKEY_MAX_PW_LEN+2], passwd2[SKEY_MAX_PW_LEN+2], tbuf[27], buf[80];
49 	char    lastc, me[UT_NAMESIZE+1], *p, *pw, *ht = NULL;
50 	const	char *salt;
51 	struct	skey skey;
52 	struct	passwd *pp;
53 	struct	tm *tm;
54 	int c;
55 
56 	if (geteuid() != 0)
57 		errx(1, "must be setuid root.");
58 
59 	if (gethostname(hostname, sizeof(hostname)) < 0)
60 		err(1, "gethostname");
61 
62 	/*
63 	 * Copy the hostname into the default seed, eliminating any
64 	 * non alpha-numeric characters.
65 	 */
66 	for (i = 0, l = 0; l < sizeof(defaultseed); i++) {
67 		if (hostname[i] == '\0') {
68 			defaultseed[l] = hostname[i];
69 			break;
70 		}
71 		if (isalnum(hostname[i]))
72 			defaultseed[l++] = hostname[i];
73 	}
74 
75 	defaultseed[SKEY_NAMELEN] = '\0';
76 	(void)time(&now);
77 	(void)sprintf(tbuf, "%05ld", (long) (now % 100000));
78 	(void)strncat(defaultseed, tbuf, sizeof(defaultseed) - 5);
79 
80 	if ((pp = getpwuid(getuid())) == NULL)
81 		err(1, "no user with uid %ld", (u_long)getuid());
82 	(void)strncpy(me, pp->pw_name, sizeof(me) - 1);
83 	me[sizeof(me) - 1] = '\0';
84 
85 	if ((pp = getpwnam(me)) == NULL)
86 		err(1, "Who are you?");
87 	salt = pp->pw_passwd;
88 
89 	while((c = getopt(argc, argv, "n:t:sxz")) != -1) {
90 		switch(c) {
91 			case 'n':
92 				n = atoi(optarg);
93 				if(n < 1 || n > SKEY_MAX_SEQ)
94 					errx(1, "count must be between 1 and %d", SKEY_MAX_SEQ);
95 				break;
96 			case 't':
97 				if(skey_set_algorithm(optarg) == NULL)
98 					errx(1, "Unknown hash algorithm %s", optarg);
99 				ht = optarg;
100 				break;
101 			case 's':
102 				defaultsetup = 0;
103 				break;
104 			case 'x':
105 				hexmode = 1;
106 				break;
107 			case 'z':
108 				zerokey = 1;
109 				break;
110 			default:
111 				err(1, "Usage: %s [-n count] [-t md4|md5|sha1] [-s] [-x] [-z] [user]\n", argv[0]);
112 		}
113 	}
114 
115 	if(argc > optind) {
116 		pp = getpwnam(argv[optind]);
117 		if (pp == NULL)
118 			errx(1, "User %s unknown", argv[optind]);
119 		}
120 
121 	if (strcmp(pp->pw_name, me) != 0) {
122 		if (getuid() != 0) {
123 			/* Only root can change other's passwds */
124 			errx(1, "Permission denied.");
125 		}
126 	}
127 
128 	if (getuid() != 0) {
129 		pw = getpass("Password:");
130 		p = crypt(pw, salt);
131 
132 		if (strcmp(p, pp->pw_passwd)) {
133 			errx(1, "Password incorrect.");
134 		}
135 	}
136 
137 	rval = skeylookup(&skey, pp->pw_name);
138 	switch (rval) {
139 	case -1:
140 		err(1, "cannot open database");
141 	case 0:
142 		/* comment out user if asked to */
143 		if (zerokey)
144 			exit(skeyzero(&skey, pp->pw_name));
145 
146 		printf("[Updating %s]\n", pp->pw_name);
147 		printf("Old key: [%s] %s\n", skey_get_algorithm(), skey.seed);
148 
149 		/*
150 		 * lets be nice if they have a skey.seed that
151 		 * ends in 0-8 just add one
152 		 */
153 		l = strlen(skey.seed);
154 		if (l > 0) {
155 			lastc = skey.seed[l - 1];
156 			if (isdigit((unsigned char)lastc) && lastc != '9') {
157 				(void)strncpy(defaultseed, skey.seed,
158 				    sizeof(defaultseed) - 1);
159 				defaultseed[l - 1] = lastc + 1;
160 			}
161 			if (isdigit((unsigned char)lastc) && lastc == '9' &&
162 			    l < 16) {
163 				(void)strncpy(defaultseed, skey.seed,
164 				    sizeof(defaultseed) - 1);
165 				defaultseed[l - 1] = '0';
166 				defaultseed[l] = '0';
167 				defaultseed[l + 1] = '\0';
168 			}
169 		}
170 		break;
171 	case 1:
172 		if (zerokey)
173 			errx(1, "You have no entry to zero.");
174 		printf("[Adding %s]\n", pp->pw_name);
175 		break;
176 	}
177 
178 	if(n==0)
179 		n = 99;
180 
181 	/* Set hash type if asked to */
182 	if (ht) {
183 		/* Need to zero out old key when changing algorithm */
184 		if (strcmp(ht, skey_get_algorithm()) && skey_set_algorithm(ht))
185 			zerokey = 1;
186 	}
187 
188 	if (!defaultsetup) {
189 		printf("You need the 6 english words generated from the \"skey\" command.\n");
190 		for (i = 0;; i++) {
191 			if (i >= 2)
192 				exit(1);
193 			printf("Enter sequence count from 1 to %d: ", SKEY_MAX_SEQ);
194 			fgets(buf, sizeof(buf), stdin);
195 			n = atoi(buf);
196 			if (n > 0 && n < SKEY_MAX_SEQ)
197 				break;	/* Valid range */
198 			printf("\nError: Count must be between 0 and %d\n", SKEY_MAX_SEQ);
199 		}
200 
201 		for (i = 0;; i++) {
202 			if (i >= 2)
203 				exit(1);
204 
205 			printf("Enter new seed [default %s]: ", defaultseed);
206 			fflush(stdout);
207 			fgets(seed, sizeof(seed), stdin);
208 			rip(seed);
209 			for (p = seed; *p; p++) {
210 				if (isalpha(*p)) {
211 					if (isupper(*p))
212 						*p = tolower(*p);
213 				} else if (!isdigit(*p)) {
214 					(void)puts("Error: seed may only contain alphanumeric characters");
215 					break;
216 				}
217 			}
218 			if (*p == '\0')
219 				break;  /* Valid seed */
220 		}
221 		if (strlen(seed) > SKEY_MAX_SEED_LEN) {
222 			printf("Notice: Seed truncated to %d characters.\n", SKEY_MAX_SEED_LEN);
223 			seed[SKEY_MAX_SEED_LEN] = '\0';
224 		}
225 		if (seed[0] == '\0')
226 			(void)strcpy(seed, defaultseed);
227 
228 		for (i = 0;; i++) {
229 			if (i >= 2)
230 				exit(1);
231 
232 			printf("otp-%s %d %s\ns/key access password: ",
233 				skey_get_algorithm(), n, seed);
234 			fgets(buf, sizeof(buf), stdin);
235 			rip(buf);
236 			backspace(buf);
237 
238 			if (buf[0] == '?') {
239 				puts("Enter 6 English words from secure S/Key calculation.");
240 				continue;
241 			} else if (buf[0] == '\0') {
242 				exit(1);
243 			}
244 			if (etob(key, buf) == 1 || atob8(key, buf) == 0)
245 				break;	/* Valid format */
246 			(void)puts("Invalid format - try again with 6 English words.");
247 		}
248 	} else {
249 	/* Get user's secret password */
250 	puts("Reminder - Only use this method if you are directly connected\n"
251 	      "           or have an encrypted channel. If you are using telnet\n"
252 	      "           or rlogin, exit with no password and use skeyinit -s.\n");
253 
254 	for (i = 0;; i++) {
255 			if (i >= 2)
256 				exit(1);
257 
258 			printf("Enter secret password: ");
259 			readpass(passwd, sizeof(passwd));
260 			if (passwd[0] == '\0')
261 				exit(1);
262 
263 			if (strlen(passwd) < SKEY_MIN_PW_LEN) {
264 				(void)fprintf(stderr,
265 				    "Your password must be at least %d characters long.\n", SKEY_MIN_PW_LEN);
266 				continue;
267 			} else if (strcmp(passwd, pp->pw_name) == 0) {
268 				(void)fputs("Your password may not be the same as your user name.\n", stderr);
269 				continue;
270 			}
271 #if 0
272 			else if (strspn(passwd, "abcdefghijklmnopqrstuvwxyz") == strlen(passwd)) {
273 				(void)fputs("Your password must contain more than just lower case letters.\n"
274 					    "Whitespace, numbers, and puctuation are suggested.\n", stderr);
275 				continue;
276 			}
277 #endif
278 			printf("Again secret password: ");
279 			readpass(passwd2, sizeof(passwd));
280 			if (passwd2[0] == '\0')
281 				exit(1);
282 
283 			if (strcmp(passwd, passwd2) == 0)
284 				break;
285 
286 			puts("Passwords do not match.");
287 		}
288 
289 		/* Crunch seed and password into starting key */
290 		(void)strcpy(seed, defaultseed);
291 		if (keycrunch(key, seed, passwd) != 0)
292 			err(2, "key crunch failed");
293 		nn = n;
294 		while (nn-- != 0)
295 			f(key);
296 	}
297 	(void)time(&now);
298 	tm = localtime(&now);
299 	(void)strftime(tbuf, sizeof(tbuf), " %b %d,%Y %T", tm);
300 
301 	if ((skey.val = (char *)malloc(16 + 1)) == NULL)
302 		err(1, "Can't allocate memory");
303 
304 	/* Zero out old key if necessary (entry would change size) */
305 	if (zerokey) {
306 		(void)skeyzero(&skey, pp->pw_name);
307 		/* Re-open keys file and seek to the end */
308 		if (skeylookup(&skey, pp->pw_name) == -1)
309 			err(1, "cannot open database");
310 	}
311 
312 	btoa8(skey.val, key);
313 
314 	/*
315 	 * Obtain an exclusive lock on the key file so we don't
316 	 * clobber someone authenticating themselves at the same time.
317 	 */
318 	for (i = 0; i < 300; i++) {
319 		if ((rval = flock(fileno(skey.keyfile), LOCK_EX|LOCK_NB)) == 0
320 		    || errno != EWOULDBLOCK)
321 			break;
322 		usleep(100000);			/* Sleep for 0.1 seconds */
323 	}
324 	if (rval == -1)	{			/* Can't get exclusive lock */
325 		errno = EAGAIN;
326 		err(1, "cannot open database");
327 	}
328 
329 	/* Don't save algorithm type for md4 (keep record length same) */
330 	if (strcmp(skey_get_algorithm(), "md4") == 0)
331 		(void)fprintf(skey.keyfile, "%s %04d %-16s %s %-21s\n",
332 		    pp->pw_name, n, seed, skey.val, tbuf);
333 	else
334 		(void)fprintf(skey.keyfile, "%s %s %04d %-16s %s %-21s\n",
335 		    pp->pw_name, skey_get_algorithm(), n, seed, skey.val, tbuf);
336 
337 	(void)fclose(skey.keyfile);
338 
339 	(void)printf("\nID %s skey is otp-%s %d %s\n", pp->pw_name,
340 		     skey_get_algorithm(), n, seed);
341 	(void)printf("Next login password: %s\n\n",
342 		     hexmode ? put8(buf, key) : btoe(buf, key));
343 
344 	return(0);
345 }
346