upstream/openldap
1
0
Fork 0
mirror of https://git.openldap.org/openldap/openldap.git synced 2025-12-29 02:59:34 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

Rip most of Kbind out in prep for adding SASL.

Browse source
This commit is contained in:
Kurt Zeilenga 2001-06-14 05:28:46 +00:00
parent 7ee53eb12e
commit 5cf21f13fe
8 changed files with 10 additions and 547 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
clients/ud/Makefile.in
View file

@ -1,10 +1,10 @@
# $OpenLDAP$
SRCS= main.c find.c mod.c print.c auth.c util.c help.c \
string_to_key.c group.c edit.c globals.c
group.c edit.c globals.c
XSRCS= version.c
OBJS= main.o find.o mod.o print.o auth.o util.o help.o \
string_to_key.o group.o globals.o edit.o
group.o globals.o edit.o
HDRS= ud.h
PROGRAMS= ud

31
clients/ud/README
View file

@ -1,31 +0,0 @@
Users
-----
For users, see the man page on ud.
Installers
----------
For installers, see the header file. Anything that is configurable is
listed in there as a #define, and the file is pretty well commented.
Kerberos users
--------------
If you're going to use Kerberos, be sure that you have a Kerberos config file
in /etc/krb.conf of the form:
<realm>
<realm> <server-for-realm> [ admin server ]
This should be the realm in which users are going to authenticate, which
is not necessarily your realm.
You can certainly have other entries in this file, but you'll need at least
these two.
Also be sure that you have the necessary entries in /etc/services so that
your client knows on which port to find a Kerberos authentication server.
An pair of entries like this:
kerberos 750/udp kdc # Kerberos authentication
kerberos 750/tcp kdc # Kerberos authentication
is fairly typical.

230
clients/ud/auth.c
View file

@ -36,12 +36,6 @@
#include "ldap_defaults.h"
#include "ud.h"
#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
static char tktpath[20]; /* ticket file path */
static int kinit();
static int valid_tgt();
#endif
static void set_bound_dn(char *s);
@ -59,12 +53,6 @@ auth( char *who, int implicit )
char *user;
#endif
char uidname[20];
#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
char **krbnames; /* for kerberos names */
int kinited, ikrb;
char buf[5];
extern int krb_debug;
#endif
LDAPMessage *mp; /* returned from find() */
static char prompt[MED_BUF_SIZE]; /* place for us to sprintf the prompt */
static char name[MED_BUF_SIZE]; /* place to store the user's name */
@ -155,88 +143,21 @@ auth( char *who, int implicit )
*/
if ( (krbnames = ldap_get_values( ld, mp, "krbName" )) != NULL ) {
int choice, hassimple;
hassimple = (ldap_compare_s( ld, Entry.DN,
"userPassword", "x" ) == LDAP_COMPARE_FALSE);
(void) ldap_msgfree(mp);
/* if we're running as a server (e.g., out of inetd) */
if ( ! isatty( 1 ) ) {
strcpy( tktpath, LDAP_TMPDIR LDAP_DIRSEP "ud_tktXXXXXX" );
mktemp( tktpath );
krb_set_tkt_string( tktpath );
}
kinited = valid_tgt( krbnames );
if ( hassimple && !kinited ) {
printf(" Which password would you like to use?\n");
printf(" 1 -> LDAP password\n");
#ifdef UOFM
printf(" 2 -> UMICH password (aka Uniqname or Kerberos password)\n");
#else
printf(" 2 -> Kerberos password\n");
#endif
do {
printf(" Enter 1 or 2: ");
fflush(stdout);
fetch_buffer(buf, sizeof(buf), stdin);
choice = atoi(buf);
} while (choice != 1 && choice != 2);
authmethod = (choice == 1 ? LDAP_AUTH_SIMPLE :
LDAP_AUTH_KRBV4);
} else {
authmethod = LDAP_AUTH_KRBV4;
}
authmethod = LDAP_AUTH_KRBV4;
(void) ldap_value_free(krbnames);
} else {
authmethod = LDAP_AUTH_SIMPLE;
(void) ldap_msgfree(mp);
}
(void) ldap_msgfree(mp);
/*
* if they are already kinited, we don't need to ask for a
* password.
*/
if ( authmethod == LDAP_AUTH_KRBV4 ) {
if ( ! kinited ) {
if ( krbnames[1] != NULL ) {
int i;
/* ask which one to use */
#ifdef UOFM
printf(" Which UMICH (aka Kerberos or uniqname) name would you like to use?\n");
#else
printf(" Which Kerberos name would you like to use?\n");
#endif
for ( i = 0; krbnames[i] != NULL; i++ ) {
printf( " %d -> %s\n", i + 1,
krbnames[i] );
}
do {
printf(" Enter a number between 1 and %d: ", i );
fflush( stdout );
fetch_buffer(buf, sizeof(buf), stdin);
ikrb = atoi(buf) - 1;
} while ( ikrb > i - 1 || ikrb < 0 );
} else {
ikrb = 0;
}
/* kinit */
if ( kinit( krbnames[ikrb] ) != 0 ) {
(void) ldap_value_free(rdns);
(void) ldap_value_free(krbnames);
return(-1);
}
}
} else {
if ( authmethod != LDAP_AUTH_KRBV4 )
#endif
{
authmethod = LDAP_AUTH_SIMPLE;
sprintf(prompt, " Enter your LDAP password: ");
do {
@ -246,10 +167,8 @@ auth( char *who, int implicit )
(void) ldap_value_free(rdns);
return(0);
}
#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
}
(void) ldap_value_free(krbnames);
#endif
ldap_flush_cache( ld );
rc = ldap_bind_s(ld, Entry.DN, passwd, authmethod);
if (rc != LDAP_SUCCESS) {
@ -261,12 +180,11 @@ auth( char *who, int implicit )
#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
if ( authmethod == LDAP_AUTH_KRBV4 ) {
fprintf(stderr, " The Kerberos credentials are invalid.\n");
} else {
} else
#endif
{
fprintf(stderr, " The password you provided is incorrect.\n");
#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
}
#endif
else
ldap_perror(ld, "ldap_bind_s" );
(void) ldap_bind_s(ld, default_bind_object,
@ -293,138 +211,6 @@ auth( char *who, int implicit )
return(0);
}
#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
#define FIVEMINS ( 5 * 60 )
#define TGT "krbtgt"
static int
valid_tgt( char **names )
{
int i;
char name[ ANAME_SZ ], inst[ INST_SZ ], realm[ REALM_SZ ];
CREDENTIALS cred;
for ( i = 0; names[i] != NULL; i++ ) {
if ( kname_parse( name, inst, realm, names[i] ) != KSUCCESS ) {
fprintf( stderr, "Bad format for krbName %s\n",
names[i] );
fprintf( stderr, "Contact x500@umich.edu\n" );
return( 0 );
}
#ifdef HAVE_AFS_KERBEROS
/*
* realm must be uppercase for krb_ routines
*/
ldap_pvt_str2upper( realm );
#endif /* HAVE_AFS_KERBEROS */
/*
* check ticket file for a valid ticket granting ticket
* my check is: have ticket granting ticket and it is good for
* at least 5 more minutes
*/
if ( krb_get_cred( TGT, realm, realm,
&cred ) == KSUCCESS && time( 0 ) + FIVEMINS <
cred.issue_date + (u_char)cred.lifetime * FIVEMINS ) {
return( 1 );
}
}
return( 0 );
}
static char *kauth_name;
#ifndef HAVE_KTH_KERBEROS
/*ARGSUSED*/
int
krbgetpass( char *user, char *inst, char *realm, char *pw, C_Block key )
{
char *p, lcrealm[ REALM_SZ ], prompt[256], *passwd;
#ifdef UOFM
sprintf(prompt, " Enter the UMICH password (same as Uniqname or Kerberos password)\n for %s: ", kauth_name );
#else
sprintf(prompt, " Enter Kerberos password for %s: ", kauth_name );
#endif
do {
passwd = getpassphrase(prompt);
} while (passwd != NULL && *passwd == '\0');
if (passwd == NULL) {
return(-1);
}
#ifdef HAVE_AFS_KERBEROS
strcpy( lcrealm, realm );
for ( p = lcrealm; *p != '\0'; ++p ) {
*p = TOLOWER( (unsigned char) *p );
}
ka_StringToKey( passwd, lcrealm, key );
#else /* HAVE_AFS_KERBEROS */
string_to_key( passwd, key );
#endif /* HAVE_AFS_KERBEROS */
return( 0 );
}
#endif /* HAVE_KTH_KERBEROS */
static int
kinit( char *kname )
{
int rc;
char name[ ANAME_SZ ], inst[ INST_SZ ], realm[ REALM_SZ ];
kauth_name = kname;
if ( kname_parse( name, inst, realm, kname ) != KSUCCESS ) {
fprintf( stderr, "Bad format for krbName %s\n",
kname );
fprintf( stderr, "Contact x500@umich.edu\n" );
return( -1 );
}
#ifdef HAVE_AFS_KERBEROS
/* realm must be uppercase for AFS krb_ routines */
ldap_pvt_str2upper( realm );
#endif /* HAVE_AFS_KERBEROS */
#ifdef HAVE_KTH_KERBEROS
/* Kth kerberos knows how to do both string to keys */
rc = krb_get_pw_in_tkt( name, inst, realm, TGT, realm,
DEFAULT_TKT_LIFE, 0 );
#else
rc = krb_get_in_tkt( name, inst, realm, TGT, realm,
DEFAULT_TKT_LIFE, krbgetpass, NULL, NULL );
#endif
if ( rc != KSUCCESS ) {
switch ( rc ) {
case SKDC_CANT:
fprintf( stderr, "Can't contact Kerberos server for %s\n", realm );
break;
default:
fprintf( stderr, "%s: %s\n", name, krb_err_txt[ rc ] );
break;
}
return( -1 );
}
return( 0 );
}
void
destroy_tickets( void )
{
if ( *tktpath != '\0' ) {
unlink( tktpath );
}
}
#endif
static void
set_bound_dn( char *s )
{

2
clients/ud/etc.ud.conf
View file

@ -1,2 +0,0 @@
server <your ldap server host name here>
base <your X.500 default search base here>

3
clients/ud/main.c
View file

@ -279,9 +279,6 @@ do_commands( void )
printf(" Thank you!\n");
ldap_unbind(ld);
#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
destroy_tickets();
#endif
exit( EXIT_SUCCESS );
/* NOTREACHED */
}

261
clients/ud/string_to_key.c
View file

@ -1,261 +0,0 @@
/* $OpenLDAP$ */
/*
* Copyright 1998-2000 The OpenLDAP Foundation, All Rights Reserved.
* COPYING RESTRICTIONS APPLY, see COPYRIGHT file
*/
#include "portable.h"
#if defined(LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND) && !defined(openbsd)
/*
* Copyright 1985, 1986, 1987, 1988, 1989 by the Massachusetts Institute
* of Technology.
*
* For copying and distribution information, please see the file
* <mit-copyright.h>.
*
* These routines perform encryption and decryption using the DES
* private key algorithm, or else a subset of it-- fewer inner loops.
* (AUTH_DES_ITER defaults to 16, may be less.)
*
* Under U.S. law, this software may not be exported outside the US
* without license from the U.S. Commerce department.
*
* The key schedule is passed as an arg, as well as the cleartext or
* ciphertext. The cleartext and ciphertext should be in host order.
*
* These routines form the library interface to the DES facilities.
*
* spm 8/85 MIT project athena
*/
#include <stdio.h>
#include <ac/krb.h>
#if defined( DEBUG ) && defined( HAVE_DES_DEBUG )
#define USE_DES_DEBUG
extern int des_debug;
#endif
extern void des_fixup_key_parity();
#ifndef HAVE_AFS_KERBEROS
#define WORLDPEACEINOURTIME
#endif
#if defined(WORLDPEACEINOURTIME) /* Use original, not ifs version */
#ifndef HAVE_KERBEROS_V
/*
* convert an arbitrary length string to a DES key
*/
void
des_string_to_key( char *str, register des_cblock *key )
{
register char *in_str;
register unsigned temp,i;
register int j;
register long length;
static unsigned char *k_p;
static int forward;
register char *p_char;
static char k_char[64];
static des_key_schedule key_sked;
extern unsigned long des_cbc_cksum();
in_str = str;
forward = 1;
p_char = k_char;
length = strlen(str);
/* init key array for bits */
memset(k_char, '\0', sizeof(k_char));
#ifdef USE_DES_DEBUG
if (des_debug)
fprintf(stdout,
"\n\ninput str length = %d string = %s\nstring = 0x ",
length,str);
#endif
/* get next 8 bytes, strip parity, xor */
for (i = 1; i <= length; i++) {
/* get next input key byte */
temp = (unsigned int) *str++;
#ifdef USE_DES_DEBUG
if (des_debug)
fprintf(stdout,"%02x ",temp & 0xff);
#endif
/* loop through bits within byte, ignore parity */
for (j = 0; j <= 6; j++) {
if (forward)
*p_char++ ^= (int) temp & 01;
else
*--p_char ^= (int) temp & 01;
temp = temp >> 1;
} while (--j > 0);
/* check and flip direction */
if ((i%8) == 0)
forward = !forward;
}
/* now stuff into the key des_cblock, and force odd parity */
p_char = k_char;
k_p = (unsigned char *) key;
for (i = 0; i <= 7; i++) {
temp = 0;
for (j = 0; j <= 6; j++)
temp |= *p_char++ << (1+j);
*k_p++ = (unsigned char) temp;
}
/* fix key parity */
des_fixup_key_parity(key);
/* Now one-way encrypt it with the folded key */
(void) des_key_sched(key,key_sked);
(void) des_cbc_cksum((des_cblock *)in_str,key,length,key_sked,key);
/* erase key_sked */
memset((char *)key_sked, '\0', sizeof(key_sked));
/* now fix up key parity again */
des_fixup_key_parity(key);
#ifdef USE_DES_DEBUG
if (des_debug)
fprintf(stdout,
"\nResulting string_to_key = 0x%lx 0x%lx\n",
*((unsigned long *) key),
*((unsigned long *) key+1));
#endif
}
#endif /* HAVE_KERBEROS_V */
#else /* Use ifs version */
#if 0
#include <stdio.h>
/* These two needed for rxgen output to work */
#include <sys/types.h>
#include <rx/xdr.h>
#include <afs/cellconfig.h>
#include <afs/auth.h>
#include "/usr/andy/kauth/kauth.h"
#include "/usr/andy/kauth/kautils.h"
#endif
/* This defines the Andrew string_to_key function. It accepts a password
string as input and converts its via a one-way encryption algorithm to a DES
encryption key. It is compatible with the original Andrew authentication
service password database. */
static void
Andrew_StringToKey(
char *str,
char *cell, /* cell for password */
des_cblock *key
)
{ char password[8+1]; /* crypt is limited to 8 chars anyway */
int i;
int passlen;
memset(key, '\0', sizeof(des_cblock));
memset(password, '\0', sizeof(password));
strncpy (password, cell, 8);
passlen = strlen (str);
if (passlen > 8) passlen = 8;
for (i=0; i<passlen; i++)
password[i] = str[i] ^ cell[i];
for (i=0;i<8;i++)
if (password[i] == '\0') password[i] = 'X';
/* crypt only considers the first 8 characters of password but for some
reason returns eleven characters of result (plus the two salt chars). */
strncpy(key, crypt(password, "#~") + 2, sizeof(des_cblock));
/* parity is inserted into the LSB so leftshift each byte up one bit. This
allows ascii characters with a zero MSB to retain as much significance
as possible. */
{ char *keybytes = (char *)key;
unsigned int temp;
for (i = 0; i < 8; i++) {
temp = (unsigned int) keybytes[i];
keybytes[i] = (unsigned char) (temp << 1);
}
}
des_fixup_key_parity (key);
}
static void
StringToKey(
char *str,
char *cell, /* cell for password */
des_cblock *key
)
{ des_key_schedule schedule;
char temp_key[8];
char ivec[8];
char password[BUFSIZ];
int passlen;
strncpy (password, str, sizeof(password));
if ((passlen = strlen (password)) < sizeof(password)-1)
strncat (password, cell, sizeof(password)-passlen);
if ((passlen = strlen(password)) > sizeof(password)) passlen = sizeof(password);
AC_MEMCPY(ivec, "kerberos", 8);
AC_MEMCPY(temp_key, "kerberos", 8);
des_fixup_key_parity (temp_key);
des_key_sched (temp_key, schedule);
des_cbc_cksum (password, ivec, passlen, schedule, ivec);
AC_MEMCPY(temp_key, ivec, 8);
des_fixup_key_parity (temp_key);
des_key_sched (temp_key, schedule);
des_cbc_cksum (password, key, passlen, schedule, ivec);
des_fixup_key_parity (key);
}
void
ka_StringToKey (
char *str,
char *cell, /* cell for password */
des_cblock *key
)
{ char realm[REALM_SZ];
#if NOWAYOUTTODAY
long code;
#if 0
code = ka_CellToRealm (cell, realm, 0/*local*/);
#endif
if (code) strcpy (realm, "");
else lcstring (realm, realm, sizeof(realm)); /* for backward compatibility */
#else
(void)strcpy(realm, cell);
#endif
if (strlen(str) > 8) StringToKey (str, realm, key);
else Andrew_StringToKey (str, realm, key);
}
/*
* convert an arbitrary length string to a DES key
*/
int
des_string_to_key( char *str, register des_cblock *key )
{
/* NB: i should probably call routine to get local cell here */
ka_StringToKey(str, "umich.edu", key);
return 0;
}
#endif /* Use IFS Version */
#endif /* kerberos */

23
clients/ud/ud.h
View file

@ -82,15 +82,6 @@
#define G_JOIN 0
#define G_RESIGN 1
/*
* Authentication method we will be using.
*/
#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
#define UD_AUTH_METHOD LDAP_AUTH_KRBV4
#else
#define UD_AUTH_METHOD LDAP_AUTH_SIMPLE
#endif
/*
* TRUE and FALSE - just in case we need them.
*/
@ -193,10 +184,6 @@ extern char Version[];
/* in auth.c: */
int auth LDAP_P(( char *who, int implicit ));
#if defined(LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND) && defined(_AC_KRB_H)
int krbgetpass LDAP_P(( char *u, char *in, char *re, char *pw, C_Block key ));
void destroy_tickets LDAP_P(( void ));
#endif
/* in edit.c: */
void edit LDAP_P(( char *who ));
@ -263,16 +250,6 @@ void initialize_attribute_strings LDAP_P(( void ));
void print_URL LDAP_P(( struct attribute A ));
void print_one_URL LDAP_P(( char *s, int l_lead, char *tag, int u_lead ));
/* in string_to_key.c: */
#if defined(LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND) && !defined(openbsd) && defined(_AC_KRB_H)
#if defined(HAVE_AFS_KERBEROS) || !defined(HAVE_KERBEROS_V)
void des_string_to_key LDAP_P(( char *str, des_cblock *key ));
#endif
#if defined(HAVE_AFS_KERBEROS)
void ka_StringToKey LDAP_P(( char *str, char *cell, des_cblock *key ));
#endif
#endif
/* in util.c: */
void printbase LDAP_P(( char *lead, char *s ));
void fetch_buffer LDAP_P(( char *buffer, int length, FILE *where ));

3
clients/ud/util.c
View file

@ -107,9 +107,6 @@ fatal( char *s )
{
if (errno != 0)
perror(s);
#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND
destroy_tickets();
#endif
exit( EXIT_FAILURE );
}