1 /*-
2 * Copyright (c) 1991, 1993
3 * Dave Safford. All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 * 3. Neither the name of the University nor the names of its contributors
14 * may be used to endorse or promote products derived from this software
15 * without specific prior written permission.
16 *
17 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
21 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
26 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
27 * SUCH DAMAGE.
28 *
29 */
30
31 #ifdef SRA
32 #ifdef ENCRYPTION
33 #include <sys/types.h>
34 #include <arpa/telnet.h>
35 #include <pwd.h>
36 #include <stdio.h>
37 #include <stdlib.h>
38 #include <string.h>
39 #include <syslog.h>
40 #include <ttyent.h>
41
42 #ifndef NOPAM
43 #include <security/pam_appl.h>
44 #else
45 #include <unistd.h>
46 #endif
47
48 #include "auth.h"
49 #include "misc.h"
50 #include "encrypt.h"
51 #include "pk.h"
52
53 char pka[HEXKEYBYTES+1], ska[HEXKEYBYTES+1], pkb[HEXKEYBYTES+1];
54 char *user, *pass, *xuser, *xpass;
55 DesData ck;
56 IdeaData ik;
57
58 extern int auth_debug_mode;
59 extern char line[];
60
61 static int sra_valid = 0;
62 static int passwd_sent = 0;
63
64 static unsigned char str_data[1024] = { IAC, SB, TELOPT_AUTHENTICATION, 0,
65 AUTHTYPE_SRA, };
66
67 #define SRA_KEY 0
68 #define SRA_USER 1
69 #define SRA_CONTINUE 2
70 #define SRA_PASS 3
71 #define SRA_ACCEPT 4
72 #define SRA_REJECT 5
73
74 static int check_user(char *, char *);
75
76 /* support routine to send out authentication message */
77 static int
Data(Authenticator * ap,int type,void * d,int c)78 Data(Authenticator *ap, int type, void *d, int c)
79 {
80 unsigned char *p = str_data + 4;
81 unsigned char *cd = (unsigned char *)d;
82
83 if (c == -1)
84 c = strlen((char *)cd);
85
86 if (auth_debug_mode) {
87 printf("%s:%d: [%d] (%d)",
88 str_data[3] == TELQUAL_IS ? ">>>IS" : ">>>REPLY",
89 str_data[3],
90 type, c);
91 printd(d, c);
92 printf("\r\n");
93 }
94 *p++ = ap->type;
95 *p++ = ap->way;
96 *p++ = type;
97 while (c-- > 0) {
98 if ((*p++ = *cd++) == IAC)
99 *p++ = IAC;
100 }
101 *p++ = IAC;
102 *p++ = SE;
103 if (str_data[3] == TELQUAL_IS)
104 printsub('>', &str_data[2], p - (&str_data[2]));
105 return(net_write(str_data, p - str_data));
106 }
107
108 int
sra_init(Authenticator * ap __unused,int server)109 sra_init(Authenticator *ap __unused, int server)
110 {
111 if (server)
112 str_data[3] = TELQUAL_REPLY;
113 else
114 str_data[3] = TELQUAL_IS;
115
116 user = (char *)malloc(256);
117 xuser = (char *)malloc(513);
118 pass = (char *)malloc(256);
119 xpass = (char *)malloc(513);
120
121 if (user == NULL || xuser == NULL || pass == NULL || xpass ==
122 NULL)
123 return 0; /* malloc failed */
124
125 passwd_sent = 0;
126
127 genkeys(pka,ska);
128 return(1);
129 }
130
131 /* client received a go-ahead for sra */
132 int
sra_send(Authenticator * ap)133 sra_send(Authenticator *ap)
134 {
135 /* send PKA */
136
137 if (auth_debug_mode)
138 printf("Sent PKA to server.\r\n" );
139 printf("Trying SRA secure login:\r\n");
140 if (!Data(ap, SRA_KEY, (void *)pka, HEXKEYBYTES)) {
141 if (auth_debug_mode)
142 printf("Not enough room for authentication data\r\n");
143 return(0);
144 }
145
146 return(1);
147 }
148
149 /* server received an IS -- could be SRA KEY, USER, or PASS */
150 void
sra_is(Authenticator * ap,unsigned char * data,int cnt)151 sra_is(Authenticator *ap, unsigned char *data, int cnt)
152 {
153 int valid;
154 Session_Key skey;
155
156 if (cnt-- < 1)
157 goto bad;
158 switch (*data++) {
159
160 case SRA_KEY:
161 if (cnt < HEXKEYBYTES) {
162 Data(ap, SRA_REJECT, (void *)0, 0);
163 auth_finished(ap, AUTH_USER);
164 if (auth_debug_mode) {
165 printf("SRA user rejected for bad PKB\r\n");
166 }
167 return;
168 }
169 if (auth_debug_mode)
170 printf("Sent pka\r\n");
171 if (!Data(ap, SRA_KEY, (void *)pka, HEXKEYBYTES)) {
172 if (auth_debug_mode)
173 printf("Not enough room\r\n");
174 return;
175 }
176 memcpy(pkb,data,HEXKEYBYTES);
177 pkb[HEXKEYBYTES] = '\0';
178 common_key(ska,pkb,&ik,&ck);
179 return;
180
181 case SRA_USER:
182 /* decode KAB(u) */
183 if (cnt > 512) /* Attempted buffer overflow */
184 break;
185 memcpy(xuser,data,cnt);
186 xuser[cnt] = '\0';
187 pk_decode(xuser,user,&ck);
188 auth_encrypt_user(user);
189 Data(ap, SRA_CONTINUE, (void *)0, 0);
190
191 return;
192
193 case SRA_PASS:
194 if (cnt > 512) /* Attempted buffer overflow */
195 break;
196 /* decode KAB(P) */
197 memcpy(xpass,data,cnt);
198 xpass[cnt] = '\0';
199 pk_decode(xpass,pass,&ck);
200
201 /* check user's password */
202 valid = check_user(user,pass);
203
204 if(valid) {
205 Data(ap, SRA_ACCEPT, (void *)0, 0);
206 skey.data = ck;
207 skey.type = SK_DES;
208 skey.length = 8;
209 encrypt_session_key(&skey, 1);
210
211 sra_valid = 1;
212 auth_finished(ap, AUTH_VALID);
213 if (auth_debug_mode) {
214 printf("SRA user accepted\r\n");
215 }
216 }
217 else {
218 Data(ap, SRA_CONTINUE, (void *)0, 0);
219 /*
220 Data(ap, SRA_REJECT, (void *)0, 0);
221 sra_valid = 0;
222 auth_finished(ap, AUTH_REJECT);
223 */
224 if (auth_debug_mode) {
225 printf("SRA user failed\r\n");
226 }
227 }
228 return;
229
230 default:
231 if (auth_debug_mode)
232 printf("Unknown SRA option %d\r\n", data[-1]);
233 }
234 bad:
235 Data(ap, SRA_REJECT, 0, 0);
236 sra_valid = 0;
237 auth_finished(ap, AUTH_REJECT);
238 }
239
240 /* client received REPLY -- could be SRA KEY, CONTINUE, ACCEPT, or REJECT */
241 void
sra_reply(Authenticator * ap,unsigned char * data,int cnt)242 sra_reply(Authenticator *ap, unsigned char *data, int cnt)
243 {
244 char uprompt[256 + 10]; /* +10 for "User (): " */
245 char tuser[256];
246 Session_Key skey;
247 size_t i, len;
248
249 if (cnt-- < 1)
250 return;
251 switch (*data++) {
252
253 case SRA_KEY:
254 /* calculate common key */
255 if (cnt < HEXKEYBYTES) {
256 if (auth_debug_mode) {
257 printf("SRA user rejected for bad PKB\r\n");
258 }
259 return;
260 }
261 memcpy(pkb,data,HEXKEYBYTES);
262 pkb[HEXKEYBYTES] = '\0';
263
264 common_key(ska,pkb,&ik,&ck);
265
266 enc_user:
267
268 /* encode user */
269 memset(tuser,0,sizeof(tuser));
270 len = snprintf(uprompt, sizeof(uprompt), "User (%s): ",
271 UserNameRequested);
272 if (len >= sizeof(uprompt)) {
273 if (auth_debug_mode) {
274 printf("SRA user name too long\r\n");
275 }
276 return;
277 }
278 telnet_gets(uprompt, tuser, sizeof(tuser) - 1, 1);
279 if (tuser[0] == '\n' || tuser[0] == '\r' )
280 strcpy(user,UserNameRequested);
281 else {
282 /* telnet_gets leaves the newline on */
283 for(i=0;i<sizeof(tuser);i++) {
284 if (tuser[i] == '\n') {
285 tuser[i] = '\0';
286 break;
287 }
288 }
289 strcpy(user,tuser);
290 }
291 pk_encode(user,xuser,&ck);
292
293 /* send it off */
294 if (auth_debug_mode)
295 printf("Sent KAB(U)\r\n");
296 if (!Data(ap, SRA_USER, (void *)xuser, strlen(xuser))) {
297 if (auth_debug_mode)
298 printf("Not enough room\r\n");
299 return;
300 }
301 break;
302
303 case SRA_CONTINUE:
304 if (passwd_sent) {
305 passwd_sent = 0;
306 printf("[ SRA login failed ]\r\n");
307 goto enc_user;
308 }
309 /* encode password */
310 memset(pass,0,256);
311 telnet_gets("Password: ",pass,255,0);
312 pk_encode(pass,xpass,&ck);
313 /* send it off */
314 if (auth_debug_mode)
315 printf("Sent KAB(P)\r\n");
316 if (!Data(ap, SRA_PASS, (void *)xpass, strlen(xpass))) {
317 if (auth_debug_mode)
318 printf("Not enough room\r\n");
319 return;
320 }
321 passwd_sent = 1;
322 break;
323
324 case SRA_REJECT:
325 printf("[ SRA refuses authentication ]\r\n");
326 printf("Trying plaintext login:\r\n");
327 auth_finished(0,AUTH_REJECT);
328 return;
329
330 case SRA_ACCEPT:
331 printf("[ SRA accepts you ]\r\n");
332 skey.data = ck;
333 skey.type = SK_DES;
334 skey.length = 8;
335 encrypt_session_key(&skey, 0);
336
337 auth_finished(ap, AUTH_VALID);
338 return;
339 default:
340 if (auth_debug_mode)
341 printf("Unknown SRA option %d\r\n", data[-1]);
342 return;
343 }
344 }
345
346 int
sra_status(Authenticator * ap __unused,char * name,int level)347 sra_status(Authenticator *ap __unused, char *name, int level)
348 {
349 if (level < AUTH_USER)
350 return(level);
351 if (UserNameRequested && sra_valid) {
352 strcpy(name, UserNameRequested);
353 return(AUTH_VALID);
354 } else
355 return(AUTH_USER);
356 }
357
358 #define BUMP(buf, len) while (*(buf)) {++(buf), --(len);}
359 #define ADDC(buf, len, c) if ((len) > 0) {*(buf)++ = (c); --(len);}
360
361 void
sra_printsub(unsigned char * data,int cnt,unsigned char * buf,int buflen)362 sra_printsub(unsigned char *data, int cnt, unsigned char *buf, int buflen)
363 {
364 char lbuf[32];
365 int i;
366
367 buf[buflen-1] = '\0'; /* make sure its NULL terminated */
368 buflen -= 1;
369
370 switch(data[3]) {
371
372 case SRA_CONTINUE:
373 strncpy((char *)buf, " CONTINUE ", buflen);
374 goto common;
375
376 case SRA_REJECT: /* Rejected (reason might follow) */
377 strncpy((char *)buf, " REJECT ", buflen);
378 goto common;
379
380 case SRA_ACCEPT: /* Accepted (name might follow) */
381 strncpy((char *)buf, " ACCEPT ", buflen);
382
383 common:
384 BUMP(buf, buflen);
385 if (cnt <= 4)
386 break;
387 ADDC(buf, buflen, '"');
388 for (i = 4; i < cnt; i++)
389 ADDC(buf, buflen, data[i]);
390 ADDC(buf, buflen, '"');
391 ADDC(buf, buflen, '\0');
392 break;
393
394 case SRA_KEY: /* Authentication data follows */
395 strncpy((char *)buf, " KEY ", buflen);
396 goto common2;
397
398 case SRA_USER:
399 strncpy((char *)buf, " USER ", buflen);
400 goto common2;
401
402 case SRA_PASS:
403 strncpy((char *)buf, " PASS ", buflen);
404 goto common2;
405
406 default:
407 sprintf(lbuf, " %d (unknown)", data[3]);
408 strncpy((char *)buf, lbuf, buflen);
409 common2:
410 BUMP(buf, buflen);
411 for (i = 4; i < cnt; i++) {
412 sprintf(lbuf, " %d", data[i]);
413 strncpy((char *)buf, lbuf, buflen);
414 BUMP(buf, buflen);
415 }
416 break;
417 }
418 }
419
420 static int
isroot(const char * usr)421 isroot(const char *usr)
422 {
423 struct passwd *pwd;
424
425 if ((pwd=getpwnam(usr))==NULL)
426 return 0;
427 return (!pwd->pw_uid);
428 }
429
430 static int
rootterm(char * ttyn)431 rootterm(char *ttyn)
432 {
433 struct ttyent *t;
434
435 return ((t = getttynam(ttyn)) && t->ty_status & TTY_SECURE);
436 }
437
438 #ifdef NOPAM
439 static int
check_user(char * name,char * cred)440 check_user(char *name, char *cred)
441 {
442 char *cp;
443 char *xpasswd, *salt;
444
445 if (isroot(name) && !rootterm(line))
446 {
447 crypt("AA","*"); /* Waste some time to simulate success */
448 return(0);
449 }
450
451 if (pw = sgetpwnam(name)) {
452 if (pw->pw_shell == NULL) {
453 pw = (struct passwd *) NULL;
454 return(0);
455 }
456
457 salt = pw->pw_passwd;
458 xpasswd = crypt(cred, salt);
459 /* The strcmp does not catch null passwords! */
460 if (pw == NULL || *pw->pw_passwd == '\0' ||
461 strcmp(xpasswd, pw->pw_passwd)) {
462 pw = (struct passwd *) NULL;
463 return(0);
464 }
465 return(1);
466 }
467 return(0);
468 }
469 #else
470
471 /*
472 * The following is stolen from ftpd, which stole it from the imap-uw
473 * PAM module and login.c. It is needed because we can't really
474 * "converse" with the user, having already gone to the trouble of
475 * getting their username and password through an encrypted channel.
476 */
477
478 #define COPY_STRING(s) (s ? strdup(s):NULL)
479
480 struct cred_t {
481 const char *uname;
482 const char *pass;
483 };
484 typedef struct cred_t cred_t;
485
486 static int
auth_conv(int num_msg,const struct pam_message ** msg,struct pam_response ** resp,void * appdata)487 auth_conv(int num_msg, const struct pam_message **msg, struct pam_response **resp, void *appdata)
488 {
489 int i;
490 cred_t *cred = (cred_t *) appdata;
491 struct pam_response *reply =
492 malloc(sizeof(struct pam_response) * num_msg);
493
494 if (reply == NULL)
495 return PAM_BUF_ERR;
496
497 for (i = 0; i < num_msg; i++) {
498 switch (msg[i]->msg_style) {
499 case PAM_PROMPT_ECHO_ON: /* assume want user name */
500 reply[i].resp_retcode = PAM_SUCCESS;
501 reply[i].resp = COPY_STRING(cred->uname);
502 /* PAM frees resp. */
503 break;
504 case PAM_PROMPT_ECHO_OFF: /* assume want password */
505 reply[i].resp_retcode = PAM_SUCCESS;
506 reply[i].resp = COPY_STRING(cred->pass);
507 /* PAM frees resp. */
508 break;
509 case PAM_TEXT_INFO:
510 case PAM_ERROR_MSG:
511 reply[i].resp_retcode = PAM_SUCCESS;
512 reply[i].resp = NULL;
513 break;
514 default: /* unknown message style */
515 free(reply);
516 return PAM_CONV_ERR;
517 }
518 }
519
520 *resp = reply;
521 return PAM_SUCCESS;
522 }
523
524 /*
525 * The PAM version as a side effect may put a new username in *name.
526 */
527 static int
check_user(char * name,char * cred)528 check_user(char *name, char *cred)
529 {
530 pam_handle_t *pamh = NULL;
531 const void *item;
532 int rval;
533 int e;
534 cred_t auth_cred = { name, cred };
535 struct pam_conv conv = { &auth_conv, &auth_cred };
536
537 e = pam_start("telnetd", name, &conv, &pamh);
538 if (e != PAM_SUCCESS) {
539 syslog(LOG_ERR, "pam_start: %s", pam_strerror(pamh, e));
540 return 0;
541 }
542
543 #if 0 /* Where can we find this value? */
544 e = pam_set_item(pamh, PAM_RHOST, remotehost);
545 if (e != PAM_SUCCESS) {
546 syslog(LOG_ERR, "pam_set_item(PAM_RHOST): %s",
547 pam_strerror(pamh, e));
548 return 0;
549 }
550 #endif
551
552 e = pam_authenticate(pamh, 0);
553 switch (e) {
554 case PAM_SUCCESS:
555 /*
556 * With PAM we support the concept of a "template"
557 * user. The user enters a login name which is
558 * authenticated by PAM, usually via a remote service
559 * such as RADIUS or TACACS+. If authentication
560 * succeeds, a different but related "template" name
561 * is used for setting the credentials, shell, and
562 * home directory. The name the user enters need only
563 * exist on the remote authentication server, but the
564 * template name must be present in the local password
565 * database.
566 *
567 * This is supported by two various mechanisms in the
568 * individual modules. However, from the application's
569 * point of view, the template user is always passed
570 * back as a changed value of the PAM_USER item.
571 */
572 if ((e = pam_get_item(pamh, PAM_USER, &item)) ==
573 PAM_SUCCESS) {
574 strcpy(name, item);
575 } else
576 syslog(LOG_ERR, "Couldn't get PAM_USER: %s",
577 pam_strerror(pamh, e));
578 if (isroot(name) && !rootterm(line))
579 rval = 0;
580 else
581 rval = 1;
582 break;
583
584 case PAM_AUTH_ERR:
585 case PAM_USER_UNKNOWN:
586 case PAM_MAXTRIES:
587 rval = 0;
588 break;
589
590 default:
591 syslog(LOG_ERR, "auth_pam: %s", pam_strerror(pamh, e));
592 rval = 0;
593 break;
594 }
595
596 if ((e = pam_end(pamh, e)) != PAM_SUCCESS) {
597 syslog(LOG_ERR, "pam_end: %s", pam_strerror(pamh, e));
598 rval = 0;
599 }
600 return rval;
601 }
602
603 #endif
604
605 #endif /* ENCRYPTION */
606 #endif /* SRA */
607