4 * Copyright 1987, 1988 by the Massachusetts Institute of Technology.
6 * For copying and distribution information, please see the file
10 #include "mit-copyright.h"
20 * This file contains two routines: passwd_to_key() converts
21 * a password into a DES key (prompting for the password if
22 * not supplied), and krb_get_pw_in_tkt() gets an initial ticket for
27 * passwd_to_key(): given a password, return a DES key.
28 * There are extra arguments here which (used to be?)
29 * used by srvtab_to_key().
31 * If the "passwd" argument is not null, generate a DES
32 * key from it, using string_to_key().
34 * If the "passwd" argument is null, then on a Unix system we call
35 * des_read_password() to prompt for a password and then convert it
36 * into a DES key. But "prompting" the user is harder in a Windows or
37 * Macintosh environment, so we rely on our caller to explicitly do
40 * In either case, the resulting key is put in the "key" argument,
45 passwd_to_key(user,instance,realm,passwd,key)
46 char *user, *instance, *realm, *passwd;
49 #if defined(_WINDOWS) || defined(macintosh)
50 string_to_key(passwd, key);
54 placebo_read_password(key, "Password: ", 0);
55 #else /* Do encyryption */
57 string_to_key(passwd, key);
59 des_read_password(key, "Password: ", 0);
61 #endif /* NOENCRYPTION */
67 * krb_get_pw_in_tkt() takes the name of the server for which the initial
68 * ticket is to be obtained, the name of the principal the ticket is
69 * for, the desired lifetime of the ticket, and the user's password.
70 * It passes its arguments on to krb_get_in_tkt(), which contacts
71 * Kerberos to get the ticket, decrypts it using the password provided,
72 * and stores it away for future use.
74 * On a Unix system, krb_get_pw_in_tkt() is able to prompt the user
75 * for a password, if the supplied password is null. On a a non Unix
76 * system, it now requires the caller to supply a non-null password.
77 * This is because of the complexities of prompting the user in a
78 * non-terminal-oriented environment like the Macintosh (running in a
79 * driver) or MS-Windows (in a DLL).
81 * krb_get_pw_in_tkt() passes two additional arguments to krb_get_in_tkt():
82 * the name of a routine (passwd_to_key()) to be used to get the
83 * password in case the "password" argument is null and NULL for the
84 * decryption procedure indicating that krb_get_in_tkt should use the
85 * default method of decrypting the response from the KDC.
87 * The result of the call to krb_get_in_tkt() is returned.
91 krb_get_pw_in_tkt(user,instance,realm,service,sinstance,life,password)
92 char *user, *instance, *realm, *service, *sinstance;
96 #if defined(_WINDOWS) || defined(macintosh)
97 /* In spite of the comments above, we don't allow that path here,
98 to simplify coding the non-UNIX clients. The only code that now
99 depends on this behavior is the preauth support, which has a
100 seperate function without this trap. Strictly speaking, this
107 return(krb_get_in_tkt(user,instance,realm,service,sinstance,life,
109 (decrypt_tkt_type)NULL, password));
113 * krb_get_pw_in_tkt_preauth() gets handed the password or key explicitly,
114 * since the whole point of "pre" authentication is to prove that we've
115 * already got the key, and the only way to do that is to ask the user
116 * for it. Clearly we shouldn't ask twice.
119 static C_Block old_key;
121 static int stub_key(user,instance,realm,passwd,key)
122 char *user, *instance, *realm, *passwd;
125 (void) memcpy((char *) key, (char *) old_key, sizeof(old_key));
130 krb_get_pw_in_tkt_preauth(user,instance,realm,service,sinstance,life,password)
131 char *user, *instance, *realm, *service, *sinstance;
139 #if defined(_WINDOWS) || defined(macintosh)
140 /* On non-Unix systems, we can't handle a null password, because
141 passwd_to_key can't handle prompting for the password. */
146 krb_mk_preauth(&preauth_p,&preauth_len, passwd_to_key,
147 user,instance,realm,password,old_key);
148 ret_st = krb_get_in_tkt_preauth(user,instance,realm,service,sinstance,life,
149 (key_proc_type) stub_key,
150 (decrypt_tkt_type) NULL, password,
151 preauth_p, preauth_len);
153 krb_free_preauth(preauth_p, preauth_len);
157 /* FIXME! This routine belongs in the krb library and should simply
158 be shared between the encrypted and NOENCRYPTION versions! */
162 * This routine prints the supplied string to standard
163 * output as a prompt, and reads a password string without
170 #include <sys/ioctl.h>
177 #if defined(__svr4__) || defined(__SVR4)
186 static void sig_restore();
187 static push_signals(), pop_signals();
188 int placebo_read_pw_string();
191 /*** Routines ****************************************************** */
193 placebo_read_password(k,prompt,verify)
199 char key_string[BUFSIZ];
208 ok = placebo_read_pw_string(key_string, BUFSIZ, prompt, verify);
210 memset(k, 0, sizeof(C_Block));
213 memset(key_string, 0, sizeof (key_string));
218 * This version just returns the string, doesn't map to key.
220 * Returns 0 on success, non-zero on failure.
224 placebo_read_pw_string(s,max,prompt,verify)
235 struct sgttyb tty_state;
237 char key_string[BUFSIZ];
244 memcpy(env, old_env, sizeof(env));
248 /* save terminal state */
249 if (ioctl(0,TIOCGETP,&tty_state) == -1)
254 tty_state.sg_flags &= ~ECHO;
255 if (ioctl(0,TIOCSETP,&tty_state) == -1)
262 h19line(s,sizeof(s),0);
266 if (!fgets(s, max, stdin)) {
270 if ((ptr = strchr(s, '\n')))
274 printf("\nVerifying, please re-enter %s",prompt);
277 h19line(key_string,sizeof(key_string),0);
278 if (!strlen(key_string))
281 if (!fgets(key_string, sizeof(key_string), stdin)) {
285 if ((ptr = strchr(key_string, '\n')))
288 if (strcmp(s,key_string)) {
289 printf("\n\07\07Mismatch - try again\n");
302 /* turn echo back on */
303 tty_state.sg_flags |= ECHO;
304 if (ioctl(0,TIOCSETP,&tty_state))
307 memcpy(old_env, env, sizeof(env));
310 memset(key_string, 0, sizeof (key_string));
311 s[max-1] = 0; /* force termination */
312 return !ok; /* return nonzero if not okay */
317 * this can be static since we should never have more than
320 static sigtype (*old_sigfunc[NSIG])();
322 static push_signals()
325 for (i = 0; i < NSIG; i++)
326 old_sigfunc[i] = signal(i,sig_restore);
332 for (i = 0; i < NSIG; i++)
333 signal(i,old_sigfunc[i]);
336 static void sig_restore(sig,code,scp)
338 struct sigcontext *scp;
343 #endif /* NOENCRYPTION */