From 2ddadf840c8d36ddbe8f3ebe10e718016126e00f Mon Sep 17 00:00:00 2001 From: Paul Traina Date: Wed, 19 Oct 1994 00:03:45 +0000 Subject: [PATCH] Include most of the logdaemon v4.4 S/key changes --- lib/libskey/Makefile | 8 +- lib/libskey/mdx.h | 19 ++++ lib/libskey/pathnames.h | 5 +- lib/libskey/put.c | 2 +- lib/libskey/skey.1 | 59 +++++++++++ lib/libskey/skey.access.5 | 47 ++++++++- lib/libskey/skey.h | 9 +- lib/libskey/skey_crypt.c | 3 +- lib/libskey/skeyaccess.c | 198 ++++++++++++++++++++++++++----------- lib/libskey/skeylogin.c | 23 +++-- lib/libskey/skeysubr.c | 141 +++++++------------------- libexec/ftpd/Makefile | 4 +- libexec/ftpd/ftpcmd.y | 2 +- libexec/ftpd/skey-stuff.c | 3 +- usr.bin/key/Makefile | 18 +--- usr.bin/key/skey.c | 5 +- usr.bin/keyinit/Makefile | 13 +-- usr.bin/keyinit/skeyinit.c | 11 +-- usr.bin/login/Makefile | 15 +-- usr.bin/login/login.c | 8 +- usr.bin/su/Makefile | 8 +- usr.bin/su/su.c | 8 +- 22 files changed, 367 insertions(+), 242 deletions(-) create mode 100644 lib/libskey/mdx.h create mode 100644 lib/libskey/skey.1 diff --git a/lib/libskey/Makefile b/lib/libskey/Makefile index f31f725da401..0630c5698b5e 100644 --- a/lib/libskey/Makefile +++ b/lib/libskey/Makefile @@ -1,14 +1,14 @@ # @(#)Makefile 5.4 (Berkeley) 5/7/91 LIB= skey -SRCS= skeyaccess.c md4.c put.c skey_crypt.c skeylogin.c skeysubr.c +SRCS= skeyaccess.c put.c skey_crypt.c skey_getpass.c skeylogin.c skeysubr.c +MAN1= skey.1 MAN5= skey.access.5 -CFLAGS+=-DMPU8086 -DPERMIT_CONSOLE -I${.CURDIR} +CFLAGS+=-DPERMIT_CONSOLE -I${.CURDIR} beforeinstall: - -cd ${.CURDIR}; cmp -s skey.h ${DESTDIR}/usr/include/skey.h > \ - /dev/null 2>&1 || \ + -cd ${.CURDIR}; cmp -s skey.h ${DESTDIR}/usr/include/skey.h || \ install -c -o ${BINOWN} -g ${BINGRP} -m 444 skey.h \ ${DESTDIR}/usr/include diff --git a/lib/libskey/mdx.h b/lib/libskey/mdx.h new file mode 100644 index 000000000000..567d541c959c --- /dev/null +++ b/lib/libskey/mdx.h @@ -0,0 +1,19 @@ +#ifdef MD5 +/* S/Key can use MD5 now, if defined... */ +#include + +#define MDXFinal MD5Final +#define MDXInit MD5Init +#define MDXUpdate MD5Update +#define MDX_CTX MD5_CTX +#else + +/* By default, use MD4 for compatibility */ +#include + +#define MDXFinal MD4Final +#define MDXInit MD4Init +#define MDXUpdate MD4Update +#define MDX_CTX MD4_CTX + +#endif diff --git a/lib/libskey/pathnames.h b/lib/libskey/pathnames.h index 43631f5133c3..87c8a2356dfa 100644 --- a/lib/libskey/pathnames.h +++ b/lib/libskey/pathnames.h @@ -1,5 +1,6 @@ -/* $Id$ (FreeBSD) */ +/* $Id: pathnames.h,v 1.1 1994/05/27 07:50:08 pst Exp $ (FreeBSD) */ #include -#define _PATH_SKEYACCESS "/etc/skey.access" +#define _PATH_SKEYACCESS "/etc/skey.access" +#define _PATH_SKEYFILE "/etc/skeykeys" diff --git a/lib/libskey/put.c b/lib/libskey/put.c index 0f62d22499c1..d533714fcb18 100644 --- a/lib/libskey/put.c +++ b/lib/libskey/put.c @@ -2,7 +2,7 @@ #include #include #include -#include +#include "skey.h" static unsigned long extract __P((char *s,int start,int length)); static void standard __P((char *word)); diff --git a/lib/libskey/skey.1 b/lib/libskey/skey.1 new file mode 100644 index 000000000000..b4e0455aa298 --- /dev/null +++ b/lib/libskey/skey.1 @@ -0,0 +1,59 @@ +.ll 6i +.pl 10.5i +.\" @(#)skey.1 1.1 10/28/93 +.\" +.lt 6.0i +.TH KEY 1 "28 October 1993" +.AT 3 +.SH NAME +S/key \- A procedure to use one time passwords for accessing computer systems. +.SH DESCRIPTION +.I S/key +is a procedure for using one time password to authenticate access to +computer systems. It uses 64 bits of information transformed by the +MD4 algorithm. The user supplies the 64 bits in the form of 6 English +words that are generated by a secure computer. +Example use of the S/key program +.I key +.sp + Usage example: +.sp 0 + >key 99 th91334 +.sp 0 + Enter password: +.sp 0 + OMEN US HORN OMIT BACK AHOY +.sp 0 + > +.sp +The programs that are part of the S/Key system are keyinit, key, and +keyinfo. Keyinit is used to get your ID set up, key is +used to get the one time password each time, +keyinfo is used to extract information from the S/Key database. +.sp +When you run "keyinit" you inform the system of your +secret password. Running "key" then generates the +one-time passwords, and also requires your secret +password. If however, you misspell your password +while running "key", you will get a list of passwords +that will not work, and no indication about the problem. +.sp +Password sequence numbers count backward from 99. If you +don't know this, the syntax for "key" will be confusing. +.sp +You can enter the passwords using small letters, even +though the "key" program gives them in caps. +.sp +Macintosh and a general purpose PC use +are available. +.sp +Under FreeBSD, you can control, with /etc/skey.access, from which +hosts and/or networks the use of S/Key passwords is obligated. +.LP +.SH SEE ALSO +.BR keyinit(1), +.BR key(1), +.BR keyinfo(1) +.BR skey.access(5) +.SH AUTHOR +Phil Karn, Neil M. Haller, John S. Walden, Scott Chasin diff --git a/lib/libskey/skey.access.5 b/lib/libskey/skey.access.5 index e92b4a66c3b6..2e12ad11935b 100644 --- a/lib/libskey/skey.access.5 +++ b/lib/libskey/skey.access.5 @@ -2,10 +2,9 @@ .SH NAME skey.access \- S/Key password control table .SH DESCRIPTION -The S/Key password control table (default -.IR /etc/skey.access ) -is used by \fIlogin\fR-like programs to determine when UNIX passwords -may be used to access the system. +The S/Key password control table (\fI/etc/skey.access\fR) is used by +\fIlogin\fR-like programs to determine when UNIX passwords may be used +to access the system. .IP \(bu When the table does not exist, there are no password restrictions. The user may enter the UNIX password or the S/Key one. @@ -44,6 +43,7 @@ on it. .SH CONDITIONS .IP "hostname wzv.win.tue.nl" True when the login comes from host wzv.win.tue.nl. +See the WARNINGS section below. .IP "internet 131.155.210.0 255.255.255.0" True when the remote host has an internet address in network 131.155.210. The general form of a net/mask rule is: @@ -58,6 +58,7 @@ and .I mask equals .IR net. +See the WARNINGS section below. .IP "port ttya" True when the login terminal is equal to .IR /dev/ttya . @@ -74,6 +75,44 @@ group. For the sake of backwards compatibility, the .I internet keyword may be omitted from net/mask patterns. +.SH WARNINGS +Several rule types depend on host name or address information obtained +through the network. What follows is a list of conceivable attacks to +force the system to permit UNIX passwords. +.IP "Host address spoofing (source routing)" +An intruder configures a local interface to an address in a trusted +network and connects to the victim using that source address. Given +the wrong client address, the victim draws the wrong conclusion from +rules based on host addresses or from rules based on host names derived +from addresses. +.sp +Remedies: (1) do not permit UNIX passwords with network logins; (2) +use network software that discards source routing information (e.g. +a tcp wrapper). +.PP +Almost every network server must look up the client host name using the +client network address. The next obvious attack therefore is: +.IP "Host name spoofing (bad PTR record)" +An intruder manipulates the name server system so that the client +network address resolves to the name of a trusted host. Given the +wrong host name, the victim draws the wrong conclusion from rules based +on host names, or from rules based on addresses derived from host +names. +.sp +Remedies: (1) do not permit UNIX passwords with network logins; (2) use +network software that verifies that the hostname resolves to the client +network address (e.g. a tcp wrapper). +.PP +Some applications, such as the UNIX login program, must look up the +client network address using the client host name. In addition to the +previous two attacks, this opens up yet another possibility: +.IP "Host address spoofing (extra A record)" +An intruder manipulates the name server system so that the client host +name (also) resolves to a trusted address. +.sp +Remedies: (1) do not permit UNIX passwords with network logins; (2) +the skeyaccess() routines ignore network addresses that appear to +belong to someone else. .SH DIAGNOSTICS Syntax errors are reported to the syslogd. When an error is found the rule is skipped. diff --git a/lib/libskey/skey.h b/lib/libskey/skey.h index e9ee453b586e..039da4e680af 100644 --- a/lib/libskey/skey.h +++ b/lib/libskey/skey.h @@ -12,8 +12,6 @@ struct skey { char *seed; char *val; long recstart; /*needed so reread of buffer is efficient*/ - - }; /* Client-side structure for scanning data stream for challenge */ @@ -32,6 +30,11 @@ void rip __P((char *buf)); int skeychallenge __P((struct skey *mp,char *name, char *challenge)); int skeylookup __P((struct skey *mp,char *name)); int skeyverify __P((struct skey *mp,char *response)); -int skeyaccess __P((char *user, char *port, char *host)); + +/* Simplified application programming interface. */ +#include +int skeyaccess __P((char *user, char *port, char *host, char *addr)); +char *skey_getpass __P((char *prompt, struct passwd *pwd, int pwok)); +char *skey_crypt __P((char *pp, char *salt, struct passwd *pwd, int pwok)); #endif /* _SKEY_H_ */ diff --git a/lib/libskey/skey_crypt.c b/lib/libskey/skey_crypt.c index b61bef08c90b..ca1024f77418 100644 --- a/lib/libskey/skey_crypt.c +++ b/lib/libskey/skey_crypt.c @@ -3,7 +3,8 @@ #include #include #include -#include + +#include "skey.h" /* skey_crypt - return encrypted UNIX passwd if s/key or regular password ok */ diff --git a/lib/libskey/skeyaccess.c b/lib/libskey/skeyaccess.c index 67ed549dce36..3cd877fd896a 100644 --- a/lib/libskey/skeyaccess.c +++ b/lib/libskey/skeyaccess.c @@ -2,9 +2,14 @@ * Figure out if UNIX passwords are permitted for any combination of user * name, group member, terminal port, host_name or network: * - * Programmatic interface: skeyaccess(char *user, char *port, char *host) + * Programmatic interface: skeyaccess(user, port, host, addr) * - * Specify a null character pointer where information is not available. + * All arguments are null-terminated strings. Specify a null character pointer + * where information is not available. + * + * When no address information is given this code performs the host (internet) + * address lookup itself. It rejects addresses that appear to belong to + * someone else. * * When compiled with -DPERMIT_CONSOLE always permits UNIX passwords with * console logins, no matter what the configuration file says. @@ -12,7 +17,9 @@ * To build a stand-alone test version, compile with -DTEST and run it off an * skey.access file in the current directory: * - * Command-line interface: ./skeyaccess user port [host] + * Command-line interface: ./skeyaccess user port [host_or_ip_addr] + * + * Errors are reported via syslogd. * * Author: Wietse Venema, Eindhoven University of Technology. */ @@ -54,6 +61,8 @@ static int match_internet_addr(); static int match_group(); static int match_token(); static int is_internet_addr(); +static struct in_addr *convert_internet_addr(); +static struct in_addr *lookup_internet_addr(); #define MAX_ADDR 32 #define PERMIT 1 @@ -68,40 +77,53 @@ struct login_info { /* skeyaccess - find out if UNIX passwords are permitted */ -int skeyaccess(user, port, host) +int skeyaccess(user, port, host, addr) char *user; char *port; char *host; +char *addr; { - struct hostent *hp; + FILE *fp; struct login_info login_info; - struct in_addr internet_addr[MAX_ADDR + 1]; - char hostname_buf[MAXHOSTNAMELEN + 1]; - int i; + int result; + /* + * Assume no restriction on the use of UNIX passwords when the s/key + * acces table does not exist. + */ + if ((fp = fopen(_PATH_SKEYACCESS, "r")) == 0) { +#ifdef TEST + fprintf(stderr, "No file %s, thus no access control\n", _PATH_SKEYACCESS); +#endif + return (PERMIT); + } + + /* + * Bundle up the arguments in a structure so we won't have to drag around + * boring long argument lists. + * + * Look up the host address when only the name is given. We try to reject + * addresses that belong to someone else. + */ login_info.user = user; login_info.port = port; - login_info.host_name = 0; - login_info.internet_addr = 0; - if (host) { - if (is_internet_addr(host)) { /* not DECnet */ - internet_addr[0].s_addr = inet_addr(host); - internet_addr[1].s_addr = 0; - login_info.internet_addr = internet_addr; + if (host != 0 && !is_internet_addr(host)) { + login_info.host_name = host; + } else { + login_info.host_name = 0; + } + + if (addr != 0 && is_internet_addr(addr)) { + login_info.internet_addr = convert_internet_addr(addr); + } else if (host != 0) { + if (is_internet_addr(host)) { + login_info.internet_addr = convert_internet_addr(host); } else { - if ((hp = gethostbyname(host)) != 0 && hp->h_addrtype == AF_INET) { - for (i = 0; i < MAX_ADDR && hp->h_addr_list[i]; i++) - memcpy((char *) &internet_addr[i], - hp->h_addr_list[i], hp->h_length); - internet_addr[i].s_addr = 0; - login_info.internet_addr = internet_addr; - host = hp->h_name; - } - strncpy(hostname_buf, host, MAXHOSTNAMELEN); - hostname_buf[MAXHOSTNAMELEN] = 0; - login_info.host_name = hostname_buf; + login_info.internet_addr = lookup_internet_addr(host); } + } else { + login_info.internet_addr = 0; } /* @@ -115,20 +137,25 @@ char *host; if (login_info.internet_addr == 0) { printf("none\n"); } else { + int i; + for (i = 0; login_info.internet_addr[i].s_addr; i++) - printf("%s%s", inet_ntoa(login_info.internet_addr[i]), + printf("%s%s", login_info.internet_addr[i].s_addr == -1 ? + "(see error log)" : inet_ntoa(login_info.internet_addr[i]), login_info.internet_addr[i + 1].s_addr ? " " : "\n"); } #endif - return (_skeyaccess(&login_info)); + result = _skeyaccess(fp, &login_info); + fclose(fp); + return (result); } /* _skeyaccess - find out if UNIX passwords are permitted */ -int _skeyaccess(login_info) +int _skeyaccess(fp, login_info) +FILE *fp; struct login_info *login_info; { - FILE *fp; char buf[BUFSIZ]; char *tok; int match; @@ -139,13 +166,6 @@ struct login_info *login_info; return (1); #endif - /* - * Assume no restriction on the use of UNIX passwords when the s/key - * acces table does not exist. - */ - if ((fp = fopen(_PATH_SKEYACCESS, "r")) == 0) - return (PERMIT); - /* * Scan the s/key access table until we find an entry that matches. If no * match is found, assume that UNIX passwords are disallowed. @@ -187,7 +207,6 @@ struct login_info *login_info; } } } - fclose(fp); return (match ? permission : DENY); } @@ -200,7 +219,6 @@ struct login_info *login_info; long pattern; long mask; struct in_addr *addrp; - struct hostent *hp; if (login_info->internet_addr == 0) return (0); @@ -212,26 +230,13 @@ struct login_info *login_info; mask = inet_addr(tok); /* - * See if any of the addresses matches a pattern in the control file. - * Report and skip the address if it does not belong to the remote host. - * Assume localhost == localhost.domain. + * See if any of the addresses matches a pattern in the control file. We + * have already tried to drop addresses that belong to someone else. */ -#define NEQ(x,y) (strcasecmp((x),(y)) != 0) - - for (addrp = login_info->internet_addr; addrp->s_addr; addrp++) { - if ((addrp->s_addr & mask) == pattern) { - if (login_info->host_name != 0 && - ((hp = gethostbyaddr((char *) addrp, sizeof(*addrp), AF_INET)) == 0 - || (NEQ(login_info->host_name, hp->h_name) - && NEQ(login_info->host_name, "localhost")))) { - syslog(LOG_ERR, "address %s not registered for host %s", - inet_ntoa(*addrp), login_info->host_name); - continue; - } + for (addrp = login_info->internet_addr; addrp->s_addr; addrp++) + if (addrp->s_addr != -1 && (addrp->s_addr & mask) == pattern) return (1); - } - } return (0); } @@ -365,18 +370,97 @@ char *str; return (runs == 4); } +/* lookup_internet_addr - look up internet addresses with extreme prejudice */ + +static struct in_addr *lookup_internet_addr(host) +char *host; +{ + struct hostent *hp; + static struct in_addr list[MAX_ADDR + 1]; + char buf[MAXHOSTNAMELEN + 1]; + int length; + int i; + + if ((hp = gethostbyname(host)) == 0 || hp->h_addrtype != AF_INET) + return (0); + + /* + * Save a copy of the results before gethostbyaddr() clobbers them. + */ + + for (i = 0; i < MAX_ADDR && hp->h_addr_list[i]; i++) + memcpy((char *) &list[i], + hp->h_addr_list[i], hp->h_length); + list[i].s_addr = 0; + + strncpy(buf, hp->h_name, MAXHOSTNAMELEN); + buf[MAXHOSTNAMELEN] = 0; + length = hp->h_length; + + /* + * Wipe addresses that appear to belong to someone else. We will get + * false alarms when when the hostname comes from DNS, while its + * addresses are listed under different names in local databases. + */ +#define NEQ(x,y) (strcasecmp((x),(y)) != 0) +#define NEQ3(x,y,n) (strncasecmp((x),(y), (n)) != 0) + + while (--i >= 0) { + if ((hp = gethostbyaddr((char *) &list[i], length, AF_INET)) == 0) { + syslog(LOG_ERR, "address %s not registered for host %s", + inet_ntoa(list[i]), buf); + list[i].s_addr = -1; + } + if (NEQ(buf, hp->h_name) && NEQ3(buf, "localhost.", 10)) { + syslog(LOG_ERR, "address %s registered for host %s and %s", + inet_ntoa(list[i]), hp->h_name, buf); + list[i].s_addr = -1; + } + } + return (list); +} + +/* convert_internet_addr - convert string to internet address */ + +static struct in_addr *convert_internet_addr(string) +char *string; +{ + static struct in_addr list[2]; + + list[0].s_addr = inet_addr(string); + list[1].s_addr = 0; + return (list); +} + #ifdef TEST main(argc, argv) int argc; char **argv; { + struct hostent *hp; + char host[MAXHOSTNAMELEN + 1]; + int verdict; + char *user; + char *port; + if (argc != 3 && argc != 4) { fprintf(stderr, "usage: %s user port [host_or_ip_address]\n", argv[0]); exit(0); } + if (_PATH_SKEYACCESS[0] != '/') + printf("Warning: this program uses control file: %s\n", KEYACCESS); openlog("login", LOG_PID, LOG_AUTH); - printf("%s\n", skeyaccess(argv[1], argv[2], argv[3]) ? "YES" : "NO"); + + user = argv[1]; + port = argv[2]; + if (argv[3]) { + strncpy(host, (hp = gethostbyname(argv[3])) ? + hp->h_name : argv[3], MAXHOSTNAMELEN); + host[MAXHOSTNAMELEN] = 0; + } + verdict = skeyaccess(user, port, argv[3] ? host : (char *) 0, (char *) 0); + printf("UNIX passwords %spermitted\n", verdict ? "" : "NOT "); return (0); } diff --git a/lib/libskey/skeylogin.c b/lib/libskey/skeylogin.c index f2d41049e1d8..e15edb5b4f60 100644 --- a/lib/libskey/skeylogin.c +++ b/lib/libskey/skeylogin.c @@ -2,12 +2,10 @@ * of Bellcore. * * Mink is the former name of the S/KEY authentication system. - * Many references for mink may still be found in this program. */ + * Many references for mink may still be found in this program. + */ #include -#ifdef QUOTA -#include -#endif #include #include #include @@ -19,9 +17,9 @@ #include #include #include -#include -#define KEYFILE "/etc/skeykeys" +#include "skey.h" +#include "pathnames.h" char *skipspace(); int skeylookup __P((struct skey *mp,char *name)); @@ -57,7 +55,8 @@ char *prompt; return -1; } return -1; /* Can't happen */ -} +} + /* Return a skey challenge string for user 'name'. If successful, * fill in the caller's skey structure and return 0. If unsuccessful * (e.g., if name is unknown) return -1. @@ -104,13 +103,13 @@ char *name; char *cp; struct stat statbuf; - /* See if the KEYFILE exists, and create it if not */ - if(stat(KEYFILE,&statbuf) == -1 && errno == ENOENT){ - mp->keyfile = fopen(KEYFILE,"w+"); - (void) chmod(KEYFILE, 0644); + /* See if the _PATH_SKEYFILE exists, and create it if not */ + if(stat(_PATH_SKEYFILE,&statbuf) == -1 && errno == ENOENT){ + mp->keyfile = fopen(_PATH_SKEYFILE,"w+"); + (void) chmod(_PATH_SKEYFILE, 0644); } else { /* Otherwise open normally for update */ - mp->keyfile = fopen(KEYFILE,"r+"); + mp->keyfile = fopen(_PATH_SKEYFILE,"r+"); } if(mp->keyfile == NULL) return -1; diff --git a/lib/libskey/skeysubr.c b/lib/libskey/skeysubr.c index b947c0164068..e144202a7655 100644 --- a/lib/libskey/skeysubr.c +++ b/lib/libskey/skeysubr.c @@ -4,19 +4,14 @@ #ifdef __MSDOS__ #include #endif -#ifdef unix /* Assume POSIX */ +#ifdef unix #include #include +#include #endif -#include -#include "md4.h" -#ifndef LITTLE_ENDIAN -#if (defined(__MSDOS__) || defined(MPU8086) || defined(MPU8080) \ - || defined(vax) || defined (MIPSEL)) -#define LITTLE_ENDIAN /* Low order bytes are first in memory */ -#endif /* Almost all other machines are big-endian */ -#endif +#include "skey.h" +#include "mdx.h" /* Crunch a key: * concatenate the seed and the password, run through MD4 and @@ -24,17 +19,14 @@ */ int keycrunch(result,seed,passwd) -char *result; /* 8-byte result */ -char *seed; /* Seed, any length */ -char *passwd; /* Password, any length */ +char *result; /* 8-byte result */ +char *seed; /* Seed, any length */ +char *passwd; /* Password, any length */ { char *buf; - MDstruct md; + MDX_CTX md; + u_long results[4]; unsigned int buflen; -#ifndef LITTLE_ENDIAN - int i; - register long tmp; -#endif buflen = strlen(seed) + strlen(passwd); if((buf = malloc(buflen+1)) == NULL) @@ -42,35 +34,17 @@ char *passwd; /* Password, any length */ strcpy(buf,seed); strcat(buf,passwd); - /* Crunch the key through MD4 */ + /* Crunch the key through MD[45] */ sevenbit(buf); - MDbegin(&md); - MDupdate(&md,(unsigned char *)buf,8*buflen); - + MDXInit(&md); + MDXUpdate(&md,(unsigned char *)buf,buflen); + MDXFinal((unsigned char *)results,&md); free(buf); - /* Fold result from 128 to 64 bits */ - md.buffer[0] ^= md.buffer[2]; - md.buffer[1] ^= md.buffer[3]; + results[0] ^= results[2]; + results[1] ^= results[3]; -#ifdef LITTLE_ENDIAN - /* Only works on byte-addressed little-endian machines!! */ - memcpy(result,(char *)md.buffer,8); -#else - /* Default (but slow) code that will convert to - * little-endian byte ordering on any machine - */ - for(i=0;i<2;i++){ - tmp = md.buffer[i]; - *result++ = tmp; - tmp >>= 8; - *result++ = tmp; - tmp >>= 8; - *result++ = tmp; - tmp >>= 8; - *result++ = tmp; - } -#endif + memcpy(result,(char *)results,8); return 0; } @@ -80,44 +54,18 @@ void f(x) char *x; { - MDstruct md; -#ifndef LITTLE_ENDIAN - register long tmp; -#endif - - MDbegin(&md); - MDupdate(&md,(unsigned char *)x,64); + MDX_CTX md; + u_long results[4]; + MDXInit(&md); + MDXUpdate(&md,(unsigned char *)x,8); + MDXFinal((unsigned char *)results,&md); /* Fold 128 to 64 bits */ - md.buffer[0] ^= md.buffer[2]; - md.buffer[1] ^= md.buffer[3]; + results[0] ^= results[2]; + results[1] ^= results[3]; -#ifdef LITTLE_ENDIAN /* Only works on byte-addressed little-endian machines!! */ - memcpy(x,(char *)md.buffer,8); - -#else - /* Default (but slow) code that will convert to - * little-endian byte ordering on any machine - */ - tmp = md.buffer[0]; - *x++ = tmp; - tmp >>= 8; - *x++ = tmp; - tmp >>= 8; - *x++ = tmp; - tmp >>= 8; - *x++ = tmp; - - tmp = md.buffer[1]; - *x++ = tmp; - tmp >>= 8; - *x++ = tmp; - tmp >>= 8; - *x++ = tmp; - tmp >>= 8; - *x = tmp; -#endif + memcpy(x,(char *)results,8); } /* Strip trailing cr/lf from a line of text */ @@ -152,16 +100,26 @@ int n; return buf; } #else +static struct termios saved_ttymode; + +static void interrupt() +{ + tcsetattr(0, TCSANOW, &saved_ttymode); + exit(1); +} + char * readpass(buf,n) char *buf; int n; { - struct termios saved_ttymode; struct termios noecho_ttymode; + void (*oldsig)(); /* Save normal line editing modes */ tcgetattr(0, &saved_ttymode); + if ((oldsig = signal(SIGINT, SIG_IGN)) != SIG_IGN) + signal(SIGINT, interrupt); /* Turn off echoing */ tcgetattr(0, &noecho_ttymode); @@ -172,6 +130,8 @@ int n; /* Restore previous tty modes */ tcsetattr(0, TCSANOW, &saved_ttymode); + if (oldsig != SIG_IGN) + signal(SIGINT, oldsig); /* after the secret key is taken from the keyboard, the line feed is @@ -189,33 +149,6 @@ int n; #endif -/* removebackspaced over charaters from the string*/ -backspace(buf) -char *buf; -{ - char bs = 0x8; - char *cp = buf; - char *out = buf; - - while(*cp){ - if( *cp == bs ) { - if(out == buf){ - cp++; - continue; - } - else { - cp++; - out--; - } - } - else { - *out++ = *cp++; - } - - } - *out = '\0'; - -} sevenbit(s) char *s; { diff --git a/libexec/ftpd/Makefile b/libexec/ftpd/Makefile index 396deee0d729..e1e5be2b3658 100644 --- a/libexec/ftpd/Makefile +++ b/libexec/ftpd/Makefile @@ -6,8 +6,8 @@ SRCS= ftpd.c ftpcmd.c logwtmp.c popen.c skey-stuff.c CFLAGS+=-DSETPROCTITLE -DSKEY -LDADD= -lcrypt -lskey -DPADD= ${LIBCRYPT} ${LIBSKEY} +LDADD= -lcrypt -lskey -lmd +DPADD= ${LIBCRYPT} ${LIBSKEY} ${LIBMD} CLEANFILES+=ftpcmd.c y.tab.h diff --git a/libexec/ftpd/ftpcmd.y b/libexec/ftpd/ftpcmd.y index 6ec3d252545a..5c090e35fae7 100644 --- a/libexec/ftpd/ftpcmd.y +++ b/libexec/ftpd/ftpcmd.y @@ -951,7 +951,7 @@ yylex() upper(cbuf); p = lookup(cmdtab, cbuf); cbuf[cpos] = c; - if (p != 0) { + if (guest != 0 && p != 0) { if (p->implemented == 0) { nack(p->name); longjmp(errcatch,0); diff --git a/libexec/ftpd/skey-stuff.c b/libexec/ftpd/skey-stuff.c index fdec650bcef0..5c34b9b7395d 100644 --- a/libexec/ftpd/skey-stuff.c +++ b/libexec/ftpd/skey-stuff.c @@ -18,6 +18,7 @@ int pwok; /* Display s/key challenge where appropriate. */ if (pwd == 0 || skeychallenge(&skey, pwd->pw_name, buf) != 0) - sprintf(buf, "Password required for %s.", name); + sprintf(buf, "%s required for %s.", + pwok ? "Password" : "S/Key password", name); return (buf); } diff --git a/usr.bin/key/Makefile b/usr.bin/key/Makefile index b8553abe3879..9612051552e7 100644 --- a/usr.bin/key/Makefile +++ b/usr.bin/key/Makefile @@ -1,21 +1,11 @@ - # @(#)Makefile 5.6 (Berkeley) 3/5/91 # PROG= key -MAN1= key.1 skey.1 -CFLAGS+=-I${.CURDIR}/../../lib - - -DPADD= /usr/bin/libskey.a -LDADD= -lskey - -.if exists(/usr/lib/libcrypt.a) -DPADD+= ${LIBCRYPT} -LDADD+= -lcrypt -.endif - SRCS= skey.c +MAN1= key.1 + +DPADD= ${LIBSKEY} ${LIBMD} +LDADD= -lskey -lmd .include - diff --git a/usr.bin/key/skey.c b/usr.bin/key/skey.c index d1bc239bed99..1e810e90a4f4 100644 --- a/usr.bin/key/skey.c +++ b/usr.bin/key/skey.c @@ -12,12 +12,13 @@ #include #include #include + #ifdef __MSDOS__ #include #else /* Assume BSD unix */ #include #endif -#include "libskey/md4.h" + #include char *readpass(); @@ -119,10 +120,10 @@ char *argv[]; } return 0; } + void usage(s) char *s; { fprintf(stderr,"Usage: %s [-n count] [/] \n",s); } - diff --git a/usr.bin/keyinit/Makefile b/usr.bin/keyinit/Makefile index a716f14cb3d9..a9ed54ee0eac 100644 --- a/usr.bin/keyinit/Makefile +++ b/usr.bin/keyinit/Makefile @@ -1,20 +1,13 @@ - # @(#)Makefile 5.6 (Berkeley) 3/5/91 # - PROG= keyinit MAN1= keyinit.1 -DPADD= /usr/bin/libskey.a -LDADD= -lskey - -.if exists(/usr/lib/libcrypt.a) -DPADD+= ${LIBCRYPT} -LDADD+= -lcrypt -.endif - SRCS= skeyinit.c BINOWN= root BINMODE=4555 +DPADD= ${LIBSKEY} ${LIBMD} +LDADD= -lskey -lmd + .include diff --git a/usr.bin/keyinit/skeyinit.c b/usr.bin/keyinit/skeyinit.c index 7c8e5d6f1c6d..5dfd1b19f12e 100644 --- a/usr.bin/keyinit/skeyinit.c +++ b/usr.bin/keyinit/skeyinit.c @@ -4,17 +4,15 @@ #include #include #include -#include #include +#include + extern int optind; extern char *optarg; -char * readpass(); - -int skeylookup __P((struct skey *mp,char *name)); - #define NAMELEN 2 + int main(argc,argv) int argc; @@ -103,7 +101,7 @@ char *argv[]; printf("Reminder you need the 6 english words from the skey command.\n"); for(i=0;;i++){ if(i >= 2) exit(1); - printf("Enter sequence count from 1 to 10000: "); + printf("Enter sequence count from 1 to 9999: "); fgets(tmp,sizeof(tmp),stdin); n = atoi(tmp); if(n > 0 && n < 10000) @@ -126,7 +124,6 @@ char *argv[]; printf("s/key %d %s\ns/key access password: ",n,seed); fgets(tmp,sizeof(tmp),stdin); rip(tmp); - backspace(tmp); if(tmp[0] == '?'){ printf("Enter 6 English words from secure S/Key calculation.\n"); continue; diff --git a/usr.bin/login/Makefile b/usr.bin/login/Makefile index bae657d9640e..21131d954da0 100644 --- a/usr.bin/login/Makefile +++ b/usr.bin/login/Makefile @@ -1,16 +1,18 @@ # From: @(#)Makefile 8.1 (Berkeley) 7/19/93 -# $Id$ +# $Id: Makefile,v 1.8 1994/09/30 13:26:15 csgr Exp $ PROG= login MAN1= login.1 MAN5= login.access.5 -SRCS= login.c login_access.c login_skey.c login_fbtab.c -DPADD= ${LIBUTIL} ${LIBSKEY} -LDADD= -lutil -lcrypt -lskey +SRCS= login.c login_access.c login_fbtab.c + CFLAGS+=-DLOGIN_ACCESS -DSKEY -DLOGALL -.if exists(${DESTDIR}/usr/lib/libkrb.a) && (defined(MAKE_KERBEROS) \ - || defined(MAKE_EBONES)) +DPADD= ${LIBUTIL} ${LIBCRYPT} ${LIBSKEY} ${LIBMD} +LDADD= -lutil -lcrypt -lskey -lmd + +.if exists(${DESTDIR}/usr/lib/libkrb.a) && \ + (defined(MAKE_KERBEROS) || defined(MAKE_EBONES)) CFLAGS+=-DKERBEROS SRCS+= klogin.c DPADD+= ${LIBKRB} ${LIBDES} @@ -22,4 +24,3 @@ BINMODE=4555 INSTALLFLAGS=-fschg .include - diff --git a/usr.bin/login/login.c b/usr.bin/login/login.c index f240b1ba848f..a3b2683fc6b8 100644 --- a/usr.bin/login/login.c +++ b/usr.bin/login/login.c @@ -68,6 +68,10 @@ static char sccsid[] = "@(#)login.c 8.4 (Berkeley) 4/2/94"; #include #include +#ifdef SKEY +#include +#endif + #include "pathnames.h" void badlogin __P((char *)); @@ -125,7 +129,6 @@ main(argc, argv) char full_hostname[MAXHOSTNAMELEN]; #ifdef SKEY int permit_passwd = 0; - char *skey_getpass(), *skey_crypt(); #endif (void)signal(SIGALRM, timedout); @@ -259,7 +262,8 @@ main(argc, argv) #ifdef SKEY permit_passwd = skeyaccess(username, tty, - hostname ? full_hostname : NULL); + hostname ? full_hostname : NULL, + NULL); p = skey_getpass("Password:", pwd, permit_passwd); ep = skey_crypt(p, salt, pwd, permit_passwd); #else diff --git a/usr.bin/su/Makefile b/usr.bin/su/Makefile index c353734dd7e8..f9b61b1a9966 100644 --- a/usr.bin/su/Makefile +++ b/usr.bin/su/Makefile @@ -1,12 +1,12 @@ # @(#)Makefile 8.1 (Berkeley) 7/19/93 PROG= su -LDADD= -lcrypt -lskey -DPADD= ${LIBCRYPT} ${LIBSKEY} -SRCS= su.c login_skey.c +SRCS= su.c + CFLAGS+=-DSKEY -.PATH: ${.CURDIR}/../login +LDADD= -lcrypt -lskey -lmd +DPADD= ${LIBCRYPT} ${LIBSKEY} ${LIBMD} .if exists(${DESTDIR}/usr/lib/libkrb.a) && (defined(MAKE_KERBEROS) \ || defined(MAKE_EBONES)) diff --git a/usr.bin/su/su.c b/usr.bin/su/su.c index 1928d1ee4a22..244a6954c582 100644 --- a/usr.bin/su/su.c +++ b/usr.bin/su/su.c @@ -56,6 +56,10 @@ static char sccsid[] = "@(#)su.c 8.3 (Berkeley) 4/2/94"; #include #include +#ifdef SKEY +#include +#endif + #ifdef KERBEROS #include #include @@ -68,10 +72,6 @@ int use_kerberos = 1; #define ARGSTR "-flm" #endif -#ifdef SKEY -char *skey_crypt(), *skey_getpass(); -#endif - char *ontty __P((void)); int chshell __P((char *));