Makefile.in (build_pwfile): Add rule to build the build_pwfile program
authorTheodore Tso <tytso@mit.edu>
Fri, 3 Jul 1998 22:34:54 +0000 (22:34 +0000)
committerTheodore Tso <tytso@mit.edu>
Fri, 3 Jul 1998 22:34:54 +0000 (22:34 +0000)
kadm_server.c (kadm_ser_cpw): Put the call to the kadm_approve_pw in
the common code, so it's executed even if KADM5 is defined.  Add
appropriate syslogs to the change password processing.

kadm_funcs.c (pwstring;): If NDBM_PW_CHECK is defined, then do the
NDBM-based dictionary check.  Build kadmind4 using the make option
PW_CHECK=-DNDBM_PW_CHECK if this feature is desired.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@10621 dc483132-0cff-0310-8789-dd5450dbe970

src/kadmin/v4server/ChangeLog
src/kadmin/v4server/Makefile.in
src/kadmin/v4server/build_pwfile.c [new file with mode: 0644]
src/kadmin/v4server/kadm_funcs.c
src/kadmin/v4server/kadm_server.c

index 5ced9eb32155ce1fc48e5db573f6f7fe4647fd7c..c8846ff141ae21ff7ad43a32fbce037e9d23bb32 100644 (file)
@@ -1,3 +1,18 @@
+Fri Jul  3 18:17:48 1998  Theodore Y. Ts'o  <tytso@mit.edu>
+
+       * Makefile.in (build_pwfile): Add rule to build the build_pwfile
+               program.   
+
+       * kadm_server.c (kadm_ser_cpw): Put the call to the
+               kadm_approve_pw in the common code, so it's executed even
+               if KADM5 is defined.  Add appropriate syslogs to the
+               change password processing.
+
+       * kadm_funcs.c (pwstring;): If NDBM_PW_CHECK is defined, then do
+               the NDBM-based dictionary check.   Build kadmind4 using
+               the make option PW_CHECK=-DNDBM_PW_CHECK if this feature
+               is desired.
+
 1998-05-08  Theodore Ts'o  <tytso@rsts-11.mit.edu>
 
        * kadm_server.c (krb_log): Print the year using 4 digit to avoid
index 19b7ee81cae0cac80bffcb39faa6b7b14f95e52c..726b91a8492fac6cd1a8c487fa0a4def9bec5943 100644 (file)
@@ -1,6 +1,6 @@
 thisconfigdir=./..
 BUILDTOP=$(REL)$(U)$(S)$(U)
-CFLAGS = $(CCOPTS) $(DEFS) $(LOCALINCLUDE) \
+CFLAGS = $(CCOPTS) $(DEFS) $(LOCALINCLUDE) $(PW_CHECK) \
        -DKADM5 -DNEED_SOCKETS @HESIOD_DEFS@
 PROG_LIBPATH=-L$(TOPLIBD) $(KRB4_LIBPATH)
 PROG_RPATH=$(KRB5_LIBDIR)
@@ -21,11 +21,16 @@ kadm_err.c kadm_err.h: kadm_err.et
 $(OBJS): kadm_err.h
 
 $(PROG): $(OBJS) $(KADMCLNT_DEPLIBS) $(DB_DEPLIB) $(KRB4COMPAT_DEPLIBS)
-       $(CC_LINK) -o $(PROG) $(OBJS) $(KADMCLNT_LIBS) $(DB_LIB) $(KRB4COMPAT_LIBS) $(HESIOD_LIBS)
+       $(CC_LINK) -o $(PROG) $(OBJS) $(KADMCLNT_LIBS) $(DB_LIB) \
+               $(KRB4COMPAT_LIBS) $(HESIOD_LIBS)
+
+build_pwfile: build_pwfile.o $(DB_DEPLIB) $(KRB4COMPAT_DEPLIBS)
+       $(CC_LINK) -o build_pwfile build_pwfile.o $(DB_LIB) \
+               $(KRB4COMPAT_LIBS) $(HESIOD_LIBS)
 
 install::
        $(INSTALL_PROGRAM) $(PROG) ${DESTDIR}$(ADMIN_BINDIR)/$(PROG)
 
 clean::
-       $(RM) $(PROG) $(OBJS)
+       $(RM) $(PROG) $(OBJS) build_pwfile build_pwfile.o
        $(RM) kadm_err.h kadm_err.c
diff --git a/src/kadmin/v4server/build_pwfile.c b/src/kadmin/v4server/build_pwfile.c
new file mode 100644 (file)
index 0000000..9cede78
--- /dev/null
@@ -0,0 +1,119 @@
+#define NDBM
+/*
+ * build_pwfile.c  --- build a table of bad passwords, keyed by their
+ *     des equivalents.
+ *
+ * Written by Theodore Ts'o
+ *
+ * Copyright 1988 by the Massachusetts Institute of Technology.
+ *
+ * For copying and distribution information, please see the file
+ * <mit-copyright.h>.
+ */
+
+#ifndef        lint
+static char rcsid_build_pwfile_c[] =
+"$Id$";
+#endif lint
+
+#include <mit-copyright.h>
+#include <stdio.h>
+#include <sys/types.h>
+#include <sys/param.h>
+#include <sys/file.h>
+
+#ifdef NDBM
+#include <ndbm.h>
+#else /*NDBM*/
+#include <dbm.h>
+#endif /*NDBM*/
+
+#include <kadm.h>
+#include <kadm_err.h>
+#include <krb_db.h>
+#include "kadm_server.h"
+
+/* Macros to convert ndbm names to dbm names.
+ * Note that dbm_nextkey() cannot be simply converted using a macro, since
+ * it is invoked giving the database, and nextkey() needs the previous key.
+ *
+ * Instead, all routines call "dbm_next" instead.
+ */
+#ifndef NDBM
+typedef char DBM;
+#define dbm_open(file, flags, mode) ((dbminit(file) == 0)?"":((char *)0))
+#define dbm_fetch(db, key) fetch(key)
+#define dbm_store(db, key, content, flag) store(key, content)
+#define dbm_firstkey(db) firstkey()
+#define dbm_next(db,key) nextkey(key)
+#define dbm_close(db) dbmclose()
+#else
+#define dbm_next(db,key) dbm_nextkey(db)
+#endif
+
+main(argc, argv)
+       int     argc;
+       char    **argv;
+{
+       DBM     *pwfile;
+       FILE    *f;
+       datum   passwd, entry;
+       des_cblock      key;
+       char            word[1024];
+       int             len, filenum, i;
+       int             wptr;
+
+       if (argc != 2) {
+               fprintf(stderr,"%s: Usage: %s filename\n", argv[0], argv[0]);
+               exit(1);
+       }
+       if (!(f = fopen(argv[1], "r"))) {
+               perror(argv[1]);
+               exit(1);
+       }
+       pwfile = dbm_open(PW_CHECK_FILE, O_RDWR|O_CREAT, 0644);
+       if (!pwfile) {
+               fprintf(stderr, "Couldn't open %s for writing.\n",
+                       PW_CHECK_FILE);
+               perror("dbm_open");
+               exit(1);
+       }
+       filenum = 0;
+       do {
+               filenum++;
+               passwd.dptr = (char *) &filenum;
+               passwd.dsize = sizeof(filenum);
+               entry.dptr = argv[1];
+               entry.dsize = strlen(argv[1])+1;
+       } while (dbm_store(pwfile, passwd, entry, DBM_INSERT));
+       i = 0;
+       while (!feof(f)) {
+               i++;
+               wptr = (filenum << 24) + i;
+               fgets(word, sizeof(word), f);
+               len = strlen(word);
+               if (len > 0 && word[len-1] == '\n')
+                       word[--len] = '\0';
+#ifdef NOENCRYPTION
+               bzero((char *) key, sizeof(des_cblock));
+               key[0] = (unsigned char) 1;
+#else
+               (void) des_string_to_key(word, key);
+#endif
+               
+               passwd.dptr = (char *) key;
+               passwd.dsize = 8;
+               entry.dptr = (char *) &wptr;
+#ifdef notdef
+               entry.dsize = sizeof(wptr);
+#else
+               entry.dsize = 0;
+#endif
+               dbm_store(pwfile, passwd, entry, DBM_REPLACE);
+       }
+       dbm_close(pwfile);
+       exit(0);
+}
+
+
+
index 87eb227ee8b0af6d5db834d297d47b38225892f1..1d32073007f9180a73c428c01ede1d6286433d9b 100644 (file)
@@ -19,7 +19,9 @@ the actual database manipulation code
 #include <stdio.h>
 #include <string.h>
 #include <sys/param.h>
-/* #include <ndbm.h> Gotten by kadmin_server.h */
+#ifdef NDBM_PW_CHECK
+#include <ndbm.h>
+#endif
 #include <ctype.h>
 #include <pwd.h>
 #include <sys/file.h>
@@ -746,7 +748,7 @@ des_cblock newpw;
 char *pwstring;
 {
        int             retval;
-#ifdef notdef
+#if NDBM_PW_CHECK
        static DBM *pwfile = NULL;
        datum           passwd, entry;
 #endif
@@ -762,7 +764,7 @@ char *pwstring;
                return(KADM_PW_MISMATCH);
        if (pwstring && (strlen(pwstring) < 5))
                return(KADM_INSECURE_PW);
-#ifdef notdef
+#if NDBM_PW_CHECK
        if (!pwfile) {
                pwfile = dbm_open(PW_CHECK_FILE, O_RDONLY, 0644);
        }
index e84e0b7a70a97be3d97067a09a8c0a5fc7debc2e..71cec133919f62ccc4b1479551783804b3950014 100644 (file)
@@ -24,6 +24,7 @@
 #else
 #include <time.h>
 #endif
+#include <syslog.h>
 
 #ifdef KADM5
 #include <com_err.h>
@@ -167,13 +168,55 @@ int *outlen;
     memcpy((char *)(((krb5_int32 *)newkey) + 1), (char *)&keyhigh, 4);
     memcpy((char *)newkey, (char *)&keylow, 4);
 
+    if (retval = kadm_approve_pw(ad->pname, ad->pinst, ad->prealm,
+                       newkey, no_pword ? 0 : pword)) {
+           if (retval == KADM_PW_MISMATCH) {
+                   /*
+                    * Very strange!!!  This means that the cleartext
+                    * password which was sent and the DES cblock
+                    * didn't match!
+                    */
+                   syslog(LOG_ERR, "'%s.%s@%s' sent a password string which didn't match with the DES key?!?",
+                                  ad->pname, ad->pinst, ad->prealm);
+                   return(retval);
+           }
+           if (fascist_cpw) {
+                   *outlen = strlen(bad_pw_err)+strlen(pw_blurb)+1;
+                   if (*datout = (u_char *) malloc(*outlen)) {
+                           strcpy((char *) *datout, bad_pw_err);
+                           strcat((char *) *datout, pw_blurb);
+                   } else
+                           *outlen = 0;
+                   syslog(LOG_ERR, "'%s.%s@%s' tried to use an insecure password in changepw",
+                                  ad->pname, ad->pinst, ad->prealm);
+#ifdef notdef
+                   /* For debugging only, probably a bad idea */
+                   if (!no_pword)
+                           (void) krb_log("The password was %s\n", pword);
+#endif
+                   return(retval);
+           } else {
+                   *outlen = strlen(bad_pw_warn) + strlen(pw_blurb)+1;
+                   if (*datout = (u_char *) malloc(*outlen)) {
+                           strcpy((char *) *datout, bad_pw_warn);
+                           strcat((char *) *datout, pw_blurb);
+                   } else
+                           *outlen = 0;
+                   syslog(LOG_ERR, "'%s.%s@%s' used an insecure password in changepw",
+                                  ad->pname, ad->pinst, ad->prealm);
+           }
+    } else {
+           *datout = 0;
+           *outlen = 0;
+    }
+
 #ifdef KADM5
     /* we don't use the client-provided key itself */
     keylow = keyhigh = 0;
     memset(newkey, 0, sizeof(newkey));
 
     if (no_pword) {
-        krb_log("Old-style change password request from '%s.%s@%s'!",
+      syslog(LOG_ERR, "Old-style change password request from '%s.%s@%s'!",
                 ad->pname, ad->pinst, ad->prealm);
         *outlen = strlen(pw_required)+1;
         if (*datout = (u_char *) malloc(*outlen)) {
@@ -184,6 +227,9 @@ int *outlen;
         return KADM_INSECURE_PW;
     }
                     
+    syslog(LOG_INFO, "'%s.%s@%s' wants to change its password",
+          ad->pname, ad->pinst, ad->prealm);
+
     if (krb5_build_principal(kadm_context, &user_princ,
                             strlen(ad->prealm),
                             ad->prealm,
@@ -269,54 +315,17 @@ send_response:
              strcat(*datout, "\n");
         } else
              *outlen = 0;
+    } else {
+         syslog(LOG_INFO,
+               "'%s.%s@%s' password changed.", 
+               ad->pname, ad->pinst, ad->prealm);
     }
     if (retval == KADM_INSECURE_PW) {
-        krb_log("'%s.%s@%s' tried to use an insecure password in changepw",
+          syslog(LOG_ERR, 
+                "'%s.%s@%s' tried to use an insecure password in changepw",
                 ad->pname, ad->pinst, ad->prealm);
     }
 #else /* KADM5 */
-    if (retval = kadm_approve_pw(ad->pname, ad->pinst, ad->prealm,
-                       newkey, no_pword ? 0 : pword)) {
-           if (retval == KADM_PW_MISMATCH) {
-                   /*
-                    * Very strange!!!  This means that the cleartext
-                    * password which was sent and the DES cblock
-                    * didn't match!
-                    */
-                   (void) krb_log("'%s.%s@%s' sent a password string which didn't match with the DES key?!?",
-                                  ad->pname, ad->pinst, ad->prealm);
-                   return(retval);
-           }
-           if (fascist_cpw) {
-                   *outlen = strlen(bad_pw_err)+strlen(pw_blurb)+1;
-                   if (*datout = (u_char *) malloc(*outlen)) {
-                           strcpy((char *) *datout, bad_pw_err);
-                           strcat((char *) *datout, pw_blurb);
-                   } else
-                           *outlen = 0;
-                   (void) krb_log("'%s.%s@%s' tried to use an insecure password in changepw",
-                                  ad->pname, ad->pinst, ad->prealm);
-#ifdef notdef
-                   /* For debugging only, probably a bad idea */
-                   if (!no_pword)
-                           (void) krb_log("The password was %s\n", pword);
-#endif
-                   return(retval);
-           } else {
-                   *outlen = strlen(bad_pw_warn) + strlen(pw_blurb)+1;
-                   if (*datout = (u_char *) malloc(*outlen)) {
-                           strcpy((char *) *datout, bad_pw_warn);
-                           strcat((char *) *datout, pw_blurb);
-                   } else
-                           *outlen = 0;
-                   (void) krb_log("'%s.%s@%s' used an insecure password in changepw",
-                                  ad->pname, ad->pinst, ad->prealm);
-           }
-    } else {
-           *datout = 0;
-           *outlen = 0;
-    }
-
     retval = kadm_change(ad->pname, ad->pinst, ad->prealm, newkey);
     keylow = keyhigh = 0;
     memset(newkey, 0, sizeof(newkey));