1 /*
2 * Copyright (c) 1997-2005 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
4 * All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 *
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 *
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 *
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34 #include "kpasswd_locl.h"
35 RCSID("$Id$");
36
37 #include <kadm5/admin.h>
38 #ifdef HAVE_SYS_UN_H
39 #include <sys/un.h>
40 #endif
41 #include <hdb.h>
42 #include <kadm5/private.h>
43
44 static krb5_context context;
45 static krb5_log_facility *log_facility;
46
47 static struct getarg_strings addresses_str;
48 krb5_addresses explicit_addresses;
49
50 static sig_atomic_t exit_flag = 0;
51
52 static void
add_one_address(const char * str,int first)53 add_one_address (const char *str, int first)
54 {
55 krb5_error_code ret;
56 krb5_addresses tmp;
57
58 ret = krb5_parse_address (context, str, &tmp);
59 if (ret)
60 krb5_err (context, 1, ret, "parse_address `%s'", str);
61 if (first)
62 krb5_copy_addresses(context, &tmp, &explicit_addresses);
63 else
64 krb5_append_addresses(context, &explicit_addresses, &tmp);
65 krb5_free_addresses (context, &tmp);
66 }
67
68 static void
send_reply(int s,struct sockaddr * sa,int sa_size,krb5_data * ap_rep,krb5_data * rest)69 send_reply (int s,
70 struct sockaddr *sa,
71 int sa_size,
72 krb5_data *ap_rep,
73 krb5_data *rest)
74 {
75 struct msghdr msghdr;
76 struct iovec iov[3];
77 uint16_t len, ap_rep_len;
78 u_char header[6];
79 u_char *p;
80
81 if (ap_rep)
82 ap_rep_len = ap_rep->length;
83 else
84 ap_rep_len = 0;
85
86 len = 6 + ap_rep_len + rest->length;
87 p = header;
88 *p++ = (len >> 8) & 0xFF;
89 *p++ = (len >> 0) & 0xFF;
90 *p++ = 0;
91 *p++ = 1;
92 *p++ = (ap_rep_len >> 8) & 0xFF;
93 *p++ = (ap_rep_len >> 0) & 0xFF;
94
95 memset (&msghdr, 0, sizeof(msghdr));
96 msghdr.msg_name = (void *)sa;
97 msghdr.msg_namelen = sa_size;
98 msghdr.msg_iov = iov;
99 msghdr.msg_iovlen = sizeof(iov)/sizeof(*iov);
100 #if 0
101 msghdr.msg_control = NULL;
102 msghdr.msg_controllen = 0;
103 #endif
104
105 iov[0].iov_base = (char *)header;
106 iov[0].iov_len = 6;
107 if (ap_rep_len) {
108 iov[1].iov_base = ap_rep->data;
109 iov[1].iov_len = ap_rep->length;
110 } else {
111 iov[1].iov_base = NULL;
112 iov[1].iov_len = 0;
113 }
114 iov[2].iov_base = rest->data;
115 iov[2].iov_len = rest->length;
116
117 if (sendmsg (s, &msghdr, 0) < 0)
118 krb5_warn (context, errno, "sendmsg");
119 }
120
121 static int
make_result(krb5_data * data,uint16_t result_code,const char * expl)122 make_result (krb5_data *data,
123 uint16_t result_code,
124 const char *expl)
125 {
126 char *str;
127 krb5_data_zero (data);
128
129 data->length = asprintf (&str,
130 "%c%c%s",
131 (result_code >> 8) & 0xFF,
132 result_code & 0xFF,
133 expl);
134
135 if (str == NULL) {
136 krb5_warnx (context, "Out of memory generating error reply");
137 return 1;
138 }
139 data->data = str;
140 return 0;
141 }
142
143 static void
reply_error(krb5_realm realm,int s,struct sockaddr * sa,int sa_size,krb5_error_code error_code,uint16_t result_code,const char * expl)144 reply_error (krb5_realm realm,
145 int s,
146 struct sockaddr *sa,
147 int sa_size,
148 krb5_error_code error_code,
149 uint16_t result_code,
150 const char *expl)
151 {
152 krb5_error_code ret;
153 krb5_data error_data;
154 krb5_data e_data;
155 krb5_principal server = NULL;
156
157 if (make_result(&e_data, result_code, expl))
158 return;
159
160 if (realm) {
161 ret = krb5_make_principal (context, &server, realm,
162 "kadmin", "changepw", NULL);
163 if (ret) {
164 krb5_data_free (&e_data);
165 return;
166 }
167 }
168
169 ret = krb5_mk_error (context,
170 error_code,
171 NULL,
172 &e_data,
173 NULL,
174 server,
175 NULL,
176 NULL,
177 &error_data);
178 if (server)
179 krb5_free_principal(context, server);
180 krb5_data_free (&e_data);
181 if (ret) {
182 krb5_warn (context, ret, "Could not even generate error reply");
183 return;
184 }
185 send_reply (s, sa, sa_size, NULL, &error_data);
186 krb5_data_free (&error_data);
187 }
188
189 static void
reply_priv(krb5_auth_context auth_context,int s,struct sockaddr * sa,int sa_size,uint16_t result_code,const char * expl)190 reply_priv (krb5_auth_context auth_context,
191 int s,
192 struct sockaddr *sa,
193 int sa_size,
194 uint16_t result_code,
195 const char *expl)
196 {
197 krb5_error_code ret;
198 krb5_data krb_priv_data;
199 krb5_data ap_rep_data;
200 krb5_data e_data;
201
202 ret = krb5_mk_rep (context,
203 auth_context,
204 &ap_rep_data);
205 if (ret) {
206 krb5_warn (context, ret, "Could not even generate error reply");
207 return;
208 }
209
210 if (make_result(&e_data, result_code, expl))
211 return;
212
213 ret = krb5_mk_priv (context,
214 auth_context,
215 &e_data,
216 &krb_priv_data,
217 NULL);
218 krb5_data_free (&e_data);
219 if (ret) {
220 krb5_warn (context, ret, "Could not even generate error reply");
221 return;
222 }
223 send_reply (s, sa, sa_size, &ap_rep_data, &krb_priv_data);
224 krb5_data_free (&ap_rep_data);
225 krb5_data_free (&krb_priv_data);
226 }
227
228 /*
229 * Change the password for `principal', sending the reply back on `s'
230 * (`sa', `sa_size') to `pwd_data'.
231 */
232
233 static void
change(krb5_auth_context auth_context,krb5_principal admin_principal,uint16_t version,int s,struct sockaddr * sa,int sa_size,krb5_data * in_data)234 change (krb5_auth_context auth_context,
235 krb5_principal admin_principal,
236 uint16_t version,
237 int s,
238 struct sockaddr *sa,
239 int sa_size,
240 krb5_data *in_data)
241 {
242 krb5_error_code ret;
243 char *client = NULL, *admin = NULL;
244 const char *pwd_reason;
245 kadm5_config_params conf;
246 void *kadm5_handle = NULL;
247 krb5_principal principal = NULL;
248 krb5_data *pwd_data = NULL;
249 char *tmp;
250 ChangePasswdDataMS chpw;
251
252 memset (&conf, 0, sizeof(conf));
253 memset(&chpw, 0, sizeof(chpw));
254
255 if (version == KRB5_KPASSWD_VERS_CHANGEPW) {
256 ret = krb5_copy_data(context, in_data, &pwd_data);
257 if (ret) {
258 krb5_warn (context, ret, "krb5_copy_data");
259 reply_priv (auth_context, s, sa, sa_size, KRB5_KPASSWD_MALFORMED,
260 "out out memory copying password");
261 return;
262 }
263 principal = admin_principal;
264 } else if (version == KRB5_KPASSWD_VERS_SETPW) {
265 size_t len;
266
267 ret = decode_ChangePasswdDataMS(in_data->data, in_data->length,
268 &chpw, &len);
269 if (ret) {
270 krb5_warn (context, ret, "decode_ChangePasswdDataMS");
271 reply_priv (auth_context, s, sa, sa_size, KRB5_KPASSWD_MALFORMED,
272 "malformed ChangePasswdData");
273 return;
274 }
275
276
277 ret = krb5_copy_data(context, &chpw.newpasswd, &pwd_data);
278 if (ret) {
279 krb5_warn (context, ret, "krb5_copy_data");
280 reply_priv (auth_context, s, sa, sa_size, KRB5_KPASSWD_MALFORMED,
281 "out out memory copying password");
282 goto out;
283 }
284
285 if (chpw.targname == NULL && chpw.targrealm != NULL) {
286 krb5_warn (context, ret, "kadm5_init_with_password_ctx");
287 reply_priv (auth_context, s, sa, sa_size,
288 KRB5_KPASSWD_MALFORMED,
289 "targrealm but not targname");
290 goto out;
291 }
292
293 if (chpw.targname) {
294 krb5_principal_data princ;
295
296 princ.name = *chpw.targname;
297 princ.realm = *chpw.targrealm;
298 if (princ.realm == NULL) {
299 ret = krb5_get_default_realm(context, &princ.realm);
300
301 if (ret) {
302 krb5_warnx (context,
303 "kadm5_init_with_password_ctx: "
304 "failed to allocate realm");
305 reply_priv (auth_context, s, sa, sa_size,
306 KRB5_KPASSWD_SOFTERROR,
307 "failed to allocate realm");
308 goto out;
309 }
310 }
311 ret = krb5_copy_principal(context, &princ, &principal);
312 if (*chpw.targrealm == NULL)
313 free(princ.realm);
314 if (ret) {
315 krb5_warn(context, ret, "krb5_copy_principal");
316 reply_priv(auth_context, s, sa, sa_size,
317 KRB5_KPASSWD_HARDERROR,
318 "failed to allocate principal");
319 goto out;
320 }
321 } else
322 principal = admin_principal;
323 } else {
324 krb5_warnx (context, "kadm5_init_with_password_ctx: unknown proto");
325 reply_priv (auth_context, s, sa, sa_size,
326 KRB5_KPASSWD_HARDERROR,
327 "Unknown protocol used");
328 return;
329 }
330
331 ret = krb5_unparse_name (context, admin_principal, &admin);
332 if (ret) {
333 krb5_warn (context, ret, "unparse_name failed");
334 reply_priv (auth_context, s, sa, sa_size,
335 KRB5_KPASSWD_HARDERROR, "out of memory error");
336 goto out;
337 }
338
339 conf.realm = principal->realm;
340 conf.mask |= KADM5_CONFIG_REALM;
341
342 ret = kadm5_init_with_password_ctx(context,
343 admin,
344 NULL,
345 KADM5_ADMIN_SERVICE,
346 &conf, 0, 0,
347 &kadm5_handle);
348 if (ret) {
349 krb5_warn (context, ret, "kadm5_init_with_password_ctx");
350 reply_priv (auth_context, s, sa, sa_size, 2,
351 "Internal error");
352 goto out;
353 }
354
355 ret = krb5_unparse_name(context, principal, &client);
356 if (ret) {
357 krb5_warn (context, ret, "unparse_name failed");
358 reply_priv (auth_context, s, sa, sa_size,
359 KRB5_KPASSWD_HARDERROR, "out of memory error");
360 goto out;
361 }
362
363 /*
364 * Check password quality if not changing as administrator
365 */
366
367 if (krb5_principal_compare(context, admin_principal, principal) == TRUE) {
368
369 pwd_reason = kadm5_check_password_quality (context, principal,
370 pwd_data);
371 if (pwd_reason != NULL ) {
372 krb5_warnx (context,
373 "%s didn't pass password quality check with error: %s",
374 client, pwd_reason);
375 reply_priv (auth_context, s, sa, sa_size,
376 KRB5_KPASSWD_SOFTERROR, pwd_reason);
377 goto out;
378 }
379 krb5_warnx (context, "Changing password for %s", client);
380 } else {
381 ret = _kadm5_acl_check_permission(kadm5_handle, KADM5_PRIV_CPW,
382 principal);
383 if (ret) {
384 krb5_warn (context, ret,
385 "Check ACL failed for %s for changing %s password",
386 admin, client);
387 reply_priv (auth_context, s, sa, sa_size,
388 KRB5_KPASSWD_HARDERROR, "permission denied");
389 goto out;
390 }
391 krb5_warnx (context, "%s is changing password for %s", admin, client);
392 }
393
394 ret = krb5_data_realloc(pwd_data, pwd_data->length + 1);
395 if (ret) {
396 krb5_warn (context, ret, "malloc: out of memory");
397 reply_priv (auth_context, s, sa, sa_size, KRB5_KPASSWD_HARDERROR,
398 "Internal error");
399 goto out;
400 }
401 tmp = pwd_data->data;
402 tmp[pwd_data->length - 1] = '\0';
403
404 ret = kadm5_s_chpass_principal_cond (kadm5_handle, principal, tmp);
405 krb5_free_data (context, pwd_data);
406 pwd_data = NULL;
407 if (ret) {
408 const char *str = krb5_get_error_message(context, ret);
409 krb5_warnx(context, "kadm5_s_chpass_principal_cond: %s", str);
410 reply_priv (auth_context, s, sa, sa_size, KRB5_KPASSWD_SOFTERROR,
411 str ? str : "Internal error");
412 krb5_free_error_message(context, str);
413 goto out;
414 }
415 reply_priv (auth_context, s, sa, sa_size, KRB5_KPASSWD_SUCCESS,
416 "Password changed");
417 out:
418 free_ChangePasswdDataMS(&chpw);
419 if (principal != admin_principal)
420 krb5_free_principal(context, principal);
421 if (admin)
422 free(admin);
423 if (client)
424 free(client);
425 if (pwd_data)
426 krb5_free_data(context, pwd_data);
427 if (kadm5_handle)
428 kadm5_destroy (kadm5_handle);
429 }
430
431 static int
verify(krb5_auth_context * auth_context,krb5_realm * realms,krb5_keytab keytab,krb5_ticket ** ticket,krb5_data * out_data,uint16_t * version,int s,struct sockaddr * sa,int sa_size,u_char * msg,size_t len,krb5_address * client_addr)432 verify (krb5_auth_context *auth_context,
433 krb5_realm *realms,
434 krb5_keytab keytab,
435 krb5_ticket **ticket,
436 krb5_data *out_data,
437 uint16_t *version,
438 int s,
439 struct sockaddr *sa,
440 int sa_size,
441 u_char *msg,
442 size_t len,
443 krb5_address *client_addr)
444 {
445 krb5_error_code ret;
446 uint16_t pkt_len, pkt_ver, ap_req_len;
447 krb5_data ap_req_data;
448 krb5_data krb_priv_data;
449 krb5_realm *r;
450
451 /*
452 * Only send an error reply if the request passes basic length
453 * verification. Otherwise, kpasswdd would reply to every UDP packet,
454 * allowing an attacker to set up a ping-pong DoS attack via a spoofed UDP
455 * packet with a source address of another UDP service that also replies
456 * to every packet.
457 *
458 * Also suppress the error reply if ap_req_len is 0, which indicates
459 * either an invalid request or an error packet. An error packet may be
460 * the result of a ping-pong attacker pointing us at another kpasswdd.
461 */
462 pkt_len = (msg[0] << 8) | (msg[1]);
463 pkt_ver = (msg[2] << 8) | (msg[3]);
464 ap_req_len = (msg[4] << 8) | (msg[5]);
465 if (pkt_len != len) {
466 krb5_warnx (context, "Strange len: %ld != %ld",
467 (long)pkt_len, (long)len);
468 return 1;
469 }
470 if (ap_req_len == 0) {
471 krb5_warnx (context, "Request is error packet (ap_req_len == 0)");
472 return 1;
473 }
474 if (pkt_ver != KRB5_KPASSWD_VERS_CHANGEPW &&
475 pkt_ver != KRB5_KPASSWD_VERS_SETPW) {
476 krb5_warnx (context, "Bad version (%d)", pkt_ver);
477 reply_error (NULL, s, sa, sa_size, 0, 1, "Wrong program version");
478 return 1;
479 }
480 *version = pkt_ver;
481
482 ap_req_data.data = msg + 6;
483 ap_req_data.length = ap_req_len;
484
485 ret = krb5_rd_req (context,
486 auth_context,
487 &ap_req_data,
488 NULL,
489 keytab,
490 NULL,
491 ticket);
492 if (ret) {
493 krb5_warn (context, ret, "krb5_rd_req");
494 reply_error (NULL, s, sa, sa_size, ret, 3, "Authentication failed");
495 return 1;
496 }
497
498 /* verify realm and principal */
499 for (r = realms; *r != NULL; r++) {
500 krb5_principal principal;
501 krb5_boolean same;
502
503 ret = krb5_make_principal (context,
504 &principal,
505 *r,
506 "kadmin",
507 "changepw",
508 NULL);
509 if (ret)
510 krb5_err (context, 1, ret, "krb5_make_principal");
511
512 same = krb5_principal_compare(context, principal, (*ticket)->server);
513 krb5_free_principal(context, principal);
514 if (same == TRUE)
515 break;
516 }
517 if (*r == NULL) {
518 char *str;
519 krb5_unparse_name(context, (*ticket)->server, &str);
520 krb5_warnx (context, "client used not valid principal %s", str);
521 free(str);
522 reply_error (NULL, s, sa, sa_size, ret, 1,
523 "Bad request");
524 goto out;
525 }
526
527 if (strcmp((*ticket)->server->realm, (*ticket)->client->realm) != 0) {
528 krb5_warnx (context, "server realm (%s) not same a client realm (%s)",
529 (*ticket)->server->realm, (*ticket)->client->realm);
530 reply_error ((*ticket)->server->realm, s, sa, sa_size, ret, 1,
531 "Bad request");
532 goto out;
533 }
534
535 if (!(*ticket)->ticket.flags.initial) {
536 krb5_warnx (context, "initial flag not set");
537 reply_error ((*ticket)->server->realm, s, sa, sa_size, ret, 1,
538 "Bad request");
539 goto out;
540 }
541 krb_priv_data.data = msg + 6 + ap_req_len;
542 krb_priv_data.length = len - 6 - ap_req_len;
543
544 /*
545 * Only enforce client addresses on on tickets with addresses. If
546 * its addressless, we are guessing its behind NAT and really
547 * can't know this information.
548 */
549
550 if ((*ticket)->ticket.caddr && (*ticket)->ticket.caddr->len > 0) {
551 ret = krb5_auth_con_setaddrs (context, *auth_context,
552 NULL, client_addr);
553 if (ret) {
554 krb5_warn (context, ret, "krb5_auth_con_setaddr(this)");
555 goto out;
556 }
557 }
558
559 ret = krb5_rd_priv (context,
560 *auth_context,
561 &krb_priv_data,
562 out_data,
563 NULL);
564
565 if (ret) {
566 krb5_warn (context, ret, "krb5_rd_priv");
567 reply_error ((*ticket)->server->realm, s, sa, sa_size, ret, 3,
568 "Bad request");
569 goto out;
570 }
571 return 0;
572 out:
573 krb5_free_ticket (context, *ticket);
574 ticket = NULL;
575 return 1;
576 }
577
578 static void
process(krb5_realm * realms,krb5_keytab keytab,int s,krb5_address * this_addr,struct sockaddr * sa,int sa_size,u_char * msg,int len)579 process (krb5_realm *realms,
580 krb5_keytab keytab,
581 int s,
582 krb5_address *this_addr,
583 struct sockaddr *sa,
584 int sa_size,
585 u_char *msg,
586 int len)
587 {
588 krb5_error_code ret;
589 krb5_auth_context auth_context = NULL;
590 krb5_data out_data;
591 krb5_ticket *ticket;
592 krb5_address other_addr;
593 uint16_t version;
594
595 memset(&other_addr, 0, sizeof(other_addr));
596 krb5_data_zero (&out_data);
597
598 ret = krb5_auth_con_init (context, &auth_context);
599 if (ret) {
600 krb5_warn (context, ret, "krb5_auth_con_init");
601 return;
602 }
603
604 krb5_auth_con_setflags (context, auth_context,
605 KRB5_AUTH_CONTEXT_DO_SEQUENCE);
606
607 ret = krb5_sockaddr2address (context, sa, &other_addr);
608 if (ret) {
609 krb5_warn (context, ret, "krb5_sockaddr2address");
610 goto out;
611 }
612
613 ret = krb5_auth_con_setaddrs (context, auth_context, this_addr, NULL);
614 if (ret) {
615 krb5_warn (context, ret, "krb5_auth_con_setaddr(this)");
616 goto out;
617 }
618
619 if (verify (&auth_context, realms, keytab, &ticket, &out_data,
620 &version, s, sa, sa_size, msg, len, &other_addr) == 0)
621 {
622 /*
623 * We always set the client_addr, to assume that the client
624 * can ignore it if it choose to do so (just the server does
625 * so for addressless tickets).
626 */
627 ret = krb5_auth_con_setaddrs (context, auth_context,
628 this_addr, &other_addr);
629 if (ret) {
630 krb5_warn (context, ret, "krb5_auth_con_setaddr(other)");
631 goto out;
632 }
633
634 change (auth_context,
635 ticket->client,
636 version,
637 s,
638 sa, sa_size,
639 &out_data);
640 memset (out_data.data, 0, out_data.length);
641 krb5_free_ticket (context, ticket);
642 }
643
644 out:
645 krb5_free_address(context, &other_addr);
646 krb5_data_free(&out_data);
647 krb5_auth_con_free(context, auth_context);
648 }
649
650 static int
doit(krb5_keytab keytab,int port)651 doit (krb5_keytab keytab, int port)
652 {
653 krb5_error_code ret;
654 int *sockets;
655 int maxfd;
656 krb5_realm *realms;
657 krb5_addresses addrs;
658 unsigned n, i;
659 fd_set real_fdset;
660 struct sockaddr_storage __ss;
661 struct sockaddr *sa = (struct sockaddr *)&__ss;
662
663 ret = krb5_get_default_realms(context, &realms);
664 if (ret)
665 krb5_err (context, 1, ret, "krb5_get_default_realms");
666
667 if (explicit_addresses.len) {
668 addrs = explicit_addresses;
669 } else {
670 ret = krb5_get_all_server_addrs (context, &addrs);
671 if (ret)
672 krb5_err (context, 1, ret, "krb5_get_all_server_addrs");
673 }
674 n = addrs.len;
675
676 sockets = malloc (n * sizeof(*sockets));
677 if (sockets == NULL)
678 krb5_errx (context, 1, "out of memory");
679 maxfd = -1;
680 FD_ZERO(&real_fdset);
681 for (i = 0; i < n; ++i) {
682 krb5_socklen_t sa_size = sizeof(__ss);
683
684 krb5_addr2sockaddr (context, &addrs.val[i], sa, &sa_size, port);
685
686 sockets[i] = socket (sa->sa_family, SOCK_DGRAM, 0);
687 if (sockets[i] < 0)
688 krb5_err (context, 1, errno, "socket");
689 if (bind (sockets[i], sa, sa_size) < 0) {
690 char str[128];
691 size_t len;
692 int save_errno = errno;
693
694 ret = krb5_print_address (&addrs.val[i], str, sizeof(str), &len);
695 if (ret)
696 strlcpy(str, "unknown address", sizeof(str));
697 krb5_warn (context, save_errno, "bind(%s)", str);
698 continue;
699 }
700 maxfd = max (maxfd, sockets[i]);
701 if (maxfd >= FD_SETSIZE)
702 krb5_errx (context, 1, "fd too large");
703 FD_SET(sockets[i], &real_fdset);
704 }
705 if (maxfd == -1)
706 krb5_errx (context, 1, "No sockets!");
707
708 while(exit_flag == 0) {
709 krb5_ssize_t retx;
710 fd_set fdset = real_fdset;
711
712 retx = select (maxfd + 1, &fdset, NULL, NULL, NULL);
713 if (retx < 0) {
714 if (errno == EINTR)
715 continue;
716 else
717 krb5_err (context, 1, errno, "select");
718 }
719 for (i = 0; i < n; ++i)
720 if (FD_ISSET(sockets[i], &fdset)) {
721 u_char buf[BUFSIZ];
722 socklen_t addrlen = sizeof(__ss);
723
724 retx = recvfrom(sockets[i], buf, sizeof(buf), 0,
725 sa, &addrlen);
726 if (retx < 0) {
727 if(errno == EINTR)
728 break;
729 else
730 krb5_err (context, 1, errno, "recvfrom");
731 }
732
733 process (realms, keytab, sockets[i],
734 &addrs.val[i],
735 sa, addrlen,
736 buf, retx);
737 }
738 }
739
740 for (i = 0; i < n; ++i)
741 close(sockets[i]);
742 free(sockets);
743
744 krb5_free_addresses (context, &addrs);
745 krb5_free_host_realm (context, realms);
746 krb5_free_context (context);
747 return 0;
748 }
749
750 static RETSIGTYPE
sigterm(int sig)751 sigterm(int sig)
752 {
753 exit_flag = 1;
754 }
755
756 static const char *check_library = NULL;
757 static const char *check_function = NULL;
758 static getarg_strings policy_libraries = { 0, NULL };
759 static char sHDB[] = "HDB:";
760 static char *keytab_str = sHDB;
761 static char *realm_str;
762 static int version_flag;
763 static int help_flag;
764 static char *port_str;
765 static char *config_file;
766
767 struct getargs args[] = {
768 #ifdef HAVE_DLOPEN
769 { "check-library", 0, arg_string, &check_library,
770 "library to load password check function from", "library" },
771 { "check-function", 0, arg_string, &check_function,
772 "password check function to load", "function" },
773 { "policy-libraries", 0, arg_strings, &policy_libraries,
774 "password check function to load", "function" },
775 #endif
776 { "addresses", 0, arg_strings, &addresses_str,
777 "addresses to listen on", "list of addresses" },
778 { "keytab", 'k', arg_string, &keytab_str,
779 "keytab to get authentication key from", "kspec" },
780 { "config-file", 'c', arg_string, &config_file, NULL, NULL },
781 { "realm", 'r', arg_string, &realm_str, "default realm", "realm" },
782 { "port", 'p', arg_string, &port_str, "port", NULL },
783 { "version", 0, arg_flag, &version_flag, NULL, NULL },
784 { "help", 0, arg_flag, &help_flag, NULL, NULL }
785 };
786 int num_args = sizeof(args) / sizeof(args[0]);
787
788 int
main(int argc,char ** argv)789 main (int argc, char **argv)
790 {
791 krb5_keytab keytab;
792 krb5_error_code ret;
793 char **files;
794 int port, i;
795
796 krb5_program_setup(&context, argc, argv, args, num_args, NULL);
797
798 if(help_flag)
799 krb5_std_usage(0, args, num_args);
800 if(version_flag) {
801 print_version(NULL);
802 exit(0);
803 }
804
805 if (config_file == NULL) {
806 asprintf(&config_file, "%s/kdc.conf", hdb_db_dir(context));
807 if (config_file == NULL)
808 errx(1, "out of memory");
809 }
810
811 ret = krb5_prepend_config_files_default(config_file, &files);
812 if (ret)
813 krb5_err(context, 1, ret, "getting configuration files");
814
815 ret = krb5_set_config_files(context, files);
816 krb5_free_config_files(files);
817 if (ret)
818 krb5_err(context, 1, ret, "reading configuration files");
819
820 if(realm_str)
821 krb5_set_default_realm(context, realm_str);
822
823 krb5_openlog (context, "kpasswdd", &log_facility);
824 krb5_set_warn_dest(context, log_facility);
825
826 if (port_str != NULL) {
827 struct servent *s = roken_getservbyname (port_str, "udp");
828
829 if (s != NULL)
830 port = s->s_port;
831 else {
832 char *ptr;
833
834 port = strtol (port_str, &ptr, 10);
835 if (port == 0 && ptr == port_str)
836 krb5_errx (context, 1, "bad port `%s'", port_str);
837 port = htons(port);
838 }
839 } else
840 port = krb5_getportbyname (context, "kpasswd", "udp", KPASSWD_PORT);
841
842 ret = krb5_kt_register(context, &hdb_kt_ops);
843 if(ret)
844 krb5_err(context, 1, ret, "krb5_kt_register");
845
846 ret = krb5_kt_resolve(context, keytab_str, &keytab);
847 if(ret)
848 krb5_err(context, 1, ret, "%s", keytab_str);
849
850 kadm5_setup_passwd_quality_check (context, check_library, check_function);
851
852 for (i = 0; i < policy_libraries.num_strings; i++) {
853 ret = kadm5_add_passwd_quality_verifier(context,
854 policy_libraries.strings[i]);
855 if (ret)
856 krb5_err(context, 1, ret, "kadm5_add_passwd_quality_verifier");
857 }
858 ret = kadm5_add_passwd_quality_verifier(context, NULL);
859 if (ret)
860 krb5_err(context, 1, ret, "kadm5_add_passwd_quality_verifier");
861
862
863 explicit_addresses.len = 0;
864
865 if (addresses_str.num_strings) {
866 int j;
867
868 for (j = 0; j < addresses_str.num_strings; ++j)
869 add_one_address (addresses_str.strings[j], j == 0);
870 free_getarg_strings (&addresses_str);
871 } else {
872 char **foo = krb5_config_get_strings (context, NULL,
873 "kdc", "addresses", NULL);
874
875 if (foo != NULL) {
876 add_one_address (*foo++, TRUE);
877 while (*foo)
878 add_one_address (*foo++, FALSE);
879 }
880 }
881
882 #ifdef HAVE_SIGACTION
883 {
884 struct sigaction sa;
885
886 sa.sa_flags = 0;
887 sa.sa_handler = sigterm;
888 sigemptyset(&sa.sa_mask);
889
890 sigaction(SIGINT, &sa, NULL);
891 sigaction(SIGTERM, &sa, NULL);
892 }
893 #else
894 signal(SIGINT, sigterm);
895 signal(SIGTERM, sigterm);
896 #endif
897
898 pidfile(NULL);
899
900 return doit (keytab, port);
901 }
902