xref: /freebsd/crypto/heimdal/kpasswd/kpasswdd.c (revision aa24f48b361effe51163877d84f1b70d32b77e04)
1 /*
2  * Copyright (c) 1997-2005 Kungliga Tekniska Högskolan
3  * (Royal Institute of Technology, Stockholm, Sweden).
4  * All rights reserved.
5  *
6  * Redistribution and use in source and binary forms, with or without
7  * modification, are permitted provided that the following conditions
8  * are met:
9  *
10  * 1. Redistributions of source code must retain the above copyright
11  *    notice, this list of conditions and the following disclaimer.
12  *
13  * 2. Redistributions in binary form must reproduce the above copyright
14  *    notice, this list of conditions and the following disclaimer in the
15  *    documentation and/or other materials provided with the distribution.
16  *
17  * 3. Neither the name of the Institute nor the names of its contributors
18  *    may be used to endorse or promote products derived from this software
19  *    without specific prior written permission.
20  *
21  * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24  * ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31  * SUCH DAMAGE.
32  */
33 
34 #include "kpasswd_locl.h"
35 RCSID("$Id$");
36 
37 #include <kadm5/admin.h>
38 #ifdef HAVE_SYS_UN_H
39 #include <sys/un.h>
40 #endif
41 #include <hdb.h>
42 #include <kadm5/private.h>
43 
44 static krb5_context context;
45 static krb5_log_facility *log_facility;
46 
47 static struct getarg_strings addresses_str;
48 krb5_addresses explicit_addresses;
49 
50 static sig_atomic_t exit_flag = 0;
51 
52 static void
53 add_one_address (const char *str, int first)
54 {
55     krb5_error_code ret;
56     krb5_addresses tmp;
57 
58     ret = krb5_parse_address (context, str, &tmp);
59     if (ret)
60 	krb5_err (context, 1, ret, "parse_address `%s'", str);
61     if (first)
62 	krb5_copy_addresses(context, &tmp, &explicit_addresses);
63     else
64 	krb5_append_addresses(context, &explicit_addresses, &tmp);
65     krb5_free_addresses (context, &tmp);
66 }
67 
68 static void
69 send_reply (int s,
70 	    struct sockaddr *sa,
71 	    int sa_size,
72 	    krb5_data *ap_rep,
73 	    krb5_data *rest)
74 {
75     struct msghdr msghdr;
76     struct iovec iov[3];
77     uint16_t len, ap_rep_len;
78     u_char header[6];
79     u_char *p;
80 
81     if (ap_rep)
82 	ap_rep_len = ap_rep->length;
83     else
84 	ap_rep_len = 0;
85 
86     len = 6 + ap_rep_len + rest->length;
87     p = header;
88     *p++ = (len >> 8) & 0xFF;
89     *p++ = (len >> 0) & 0xFF;
90     *p++ = 0;
91     *p++ = 1;
92     *p++ = (ap_rep_len >> 8) & 0xFF;
93     *p++ = (ap_rep_len >> 0) & 0xFF;
94 
95     memset (&msghdr, 0, sizeof(msghdr));
96     msghdr.msg_name       = (void *)sa;
97     msghdr.msg_namelen    = sa_size;
98     msghdr.msg_iov        = iov;
99     msghdr.msg_iovlen     = sizeof(iov)/sizeof(*iov);
100 #if 0
101     msghdr.msg_control    = NULL;
102     msghdr.msg_controllen = 0;
103 #endif
104 
105     iov[0].iov_base       = (char *)header;
106     iov[0].iov_len        = 6;
107     if (ap_rep_len) {
108 	iov[1].iov_base   = ap_rep->data;
109 	iov[1].iov_len    = ap_rep->length;
110     } else {
111 	iov[1].iov_base   = NULL;
112 	iov[1].iov_len    = 0;
113     }
114     iov[2].iov_base       = rest->data;
115     iov[2].iov_len        = rest->length;
116 
117     if (sendmsg (s, &msghdr, 0) < 0)
118 	krb5_warn (context, errno, "sendmsg");
119 }
120 
121 static int
122 make_result (krb5_data *data,
123 	     uint16_t result_code,
124 	     const char *expl)
125 {
126     char *str;
127     krb5_data_zero (data);
128 
129     data->length = asprintf (&str,
130 			     "%c%c%s",
131 			     (result_code >> 8) & 0xFF,
132 			     result_code & 0xFF,
133 			     expl);
134 
135     if (str == NULL) {
136 	krb5_warnx (context, "Out of memory generating error reply");
137 	return 1;
138     }
139     data->data = str;
140     return 0;
141 }
142 
143 static void
144 reply_error (krb5_realm realm,
145 	     int s,
146 	     struct sockaddr *sa,
147 	     int sa_size,
148 	     krb5_error_code error_code,
149 	     uint16_t result_code,
150 	     const char *expl)
151 {
152     krb5_error_code ret;
153     krb5_data error_data;
154     krb5_data e_data;
155     krb5_principal server = NULL;
156 
157     if (make_result(&e_data, result_code, expl))
158 	return;
159 
160     if (realm) {
161 	ret = krb5_make_principal (context, &server, realm,
162 				   "kadmin", "changepw", NULL);
163 	if (ret) {
164 	    krb5_data_free (&e_data);
165 	    return;
166 	}
167     }
168 
169     ret = krb5_mk_error (context,
170 			 error_code,
171 			 NULL,
172 			 &e_data,
173 			 NULL,
174 			 server,
175 			 NULL,
176 			 NULL,
177 			 &error_data);
178     if (server)
179 	krb5_free_principal(context, server);
180     krb5_data_free (&e_data);
181     if (ret) {
182 	krb5_warn (context, ret, "Could not even generate error reply");
183 	return;
184     }
185     send_reply (s, sa, sa_size, NULL, &error_data);
186     krb5_data_free (&error_data);
187 }
188 
189 static void
190 reply_priv (krb5_auth_context auth_context,
191 	    int s,
192 	    struct sockaddr *sa,
193 	    int sa_size,
194 	    uint16_t result_code,
195 	    const char *expl)
196 {
197     krb5_error_code ret;
198     krb5_data krb_priv_data;
199     krb5_data ap_rep_data;
200     krb5_data e_data;
201 
202     ret = krb5_mk_rep (context,
203 		       auth_context,
204 		       &ap_rep_data);
205     if (ret) {
206 	krb5_warn (context, ret, "Could not even generate error reply");
207 	return;
208     }
209 
210     if (make_result(&e_data, result_code, expl))
211 	return;
212 
213     ret = krb5_mk_priv (context,
214 			auth_context,
215 			&e_data,
216 			&krb_priv_data,
217 			NULL);
218     krb5_data_free (&e_data);
219     if (ret) {
220 	krb5_warn (context, ret, "Could not even generate error reply");
221 	return;
222     }
223     send_reply (s, sa, sa_size, &ap_rep_data, &krb_priv_data);
224     krb5_data_free (&ap_rep_data);
225     krb5_data_free (&krb_priv_data);
226 }
227 
228 /*
229  * Change the password for `principal', sending the reply back on `s'
230  * (`sa', `sa_size') to `pwd_data'.
231  */
232 
233 static void
234 change (krb5_auth_context auth_context,
235 	krb5_principal admin_principal,
236 	uint16_t version,
237 	int s,
238 	struct sockaddr *sa,
239 	int sa_size,
240 	krb5_data *in_data)
241 {
242     krb5_error_code ret;
243     char *client = NULL, *admin = NULL;
244     const char *pwd_reason;
245     kadm5_config_params conf;
246     void *kadm5_handle = NULL;
247     krb5_principal principal = NULL;
248     krb5_data *pwd_data = NULL;
249     char *tmp;
250     ChangePasswdDataMS chpw;
251 
252     memset (&conf, 0, sizeof(conf));
253     memset(&chpw, 0, sizeof(chpw));
254 
255     if (version == KRB5_KPASSWD_VERS_CHANGEPW) {
256 	ret = krb5_copy_data(context, in_data, &pwd_data);
257 	if (ret) {
258 	    krb5_warn (context, ret, "krb5_copy_data");
259 	    reply_priv (auth_context, s, sa, sa_size, KRB5_KPASSWD_MALFORMED,
260 			"out out memory copying password");
261 	    return;
262 	}
263 	principal = admin_principal;
264     } else if (version == KRB5_KPASSWD_VERS_SETPW) {
265 	size_t len;
266 
267 	ret = decode_ChangePasswdDataMS(in_data->data, in_data->length,
268 					&chpw, &len);
269 	if (ret) {
270 	    krb5_warn (context, ret, "decode_ChangePasswdDataMS");
271 	    reply_priv (auth_context, s, sa, sa_size, KRB5_KPASSWD_MALFORMED,
272 			"malformed ChangePasswdData");
273 	    return;
274 	}
275 
276 
277 	ret = krb5_copy_data(context, &chpw.newpasswd, &pwd_data);
278 	if (ret) {
279 	    krb5_warn (context, ret, "krb5_copy_data");
280 	    reply_priv (auth_context, s, sa, sa_size, KRB5_KPASSWD_MALFORMED,
281 			"out out memory copying password");
282 	    goto out;
283 	}
284 
285 	if (chpw.targname == NULL && chpw.targrealm != NULL) {
286 	    krb5_warn (context, ret, "kadm5_init_with_password_ctx");
287 	    reply_priv (auth_context, s, sa, sa_size,
288 			KRB5_KPASSWD_MALFORMED,
289 			"targrealm but not targname");
290 	    goto out;
291 	}
292 
293 	if (chpw.targname) {
294 	    krb5_principal_data princ;
295 
296 	    princ.name = *chpw.targname;
297 	    princ.realm = *chpw.targrealm;
298 	    if (princ.realm == NULL) {
299 		ret = krb5_get_default_realm(context, &princ.realm);
300 
301 		if (ret) {
302 		    krb5_warnx (context,
303 				"kadm5_init_with_password_ctx: "
304 				"failed to allocate realm");
305 		    reply_priv (auth_context, s, sa, sa_size,
306 				KRB5_KPASSWD_SOFTERROR,
307 				"failed to allocate realm");
308 		    goto out;
309 		}
310 	    }
311 	    ret = krb5_copy_principal(context, &princ, &principal);
312 	    if (*chpw.targrealm == NULL)
313 		free(princ.realm);
314 	    if (ret) {
315 		krb5_warn(context, ret, "krb5_copy_principal");
316 		reply_priv(auth_context, s, sa, sa_size,
317 			   KRB5_KPASSWD_HARDERROR,
318 			   "failed to allocate principal");
319 		goto out;
320 	    }
321 	} else
322 	    principal = admin_principal;
323     } else {
324 	krb5_warnx (context, "kadm5_init_with_password_ctx: unknown proto");
325 	reply_priv (auth_context, s, sa, sa_size,
326 		    KRB5_KPASSWD_HARDERROR,
327 		    "Unknown protocol used");
328 	return;
329     }
330 
331     ret = krb5_unparse_name (context, admin_principal, &admin);
332     if (ret) {
333 	krb5_warn (context, ret, "unparse_name failed");
334 	reply_priv (auth_context, s, sa, sa_size,
335 		    KRB5_KPASSWD_HARDERROR, "out of memory error");
336 	goto out;
337     }
338 
339     conf.realm = principal->realm;
340     conf.mask |= KADM5_CONFIG_REALM;
341 
342     ret = kadm5_init_with_password_ctx(context,
343 				       admin,
344 				       NULL,
345 				       KADM5_ADMIN_SERVICE,
346 				       &conf, 0, 0,
347 				       &kadm5_handle);
348     if (ret) {
349 	krb5_warn (context, ret, "kadm5_init_with_password_ctx");
350 	reply_priv (auth_context, s, sa, sa_size, 2,
351 		    "Internal error");
352 	goto out;
353     }
354 
355     ret = krb5_unparse_name(context, principal, &client);
356     if (ret) {
357 	krb5_warn (context, ret, "unparse_name failed");
358 	reply_priv (auth_context, s, sa, sa_size,
359 		    KRB5_KPASSWD_HARDERROR, "out of memory error");
360 	goto out;
361     }
362 
363     /*
364      * Check password quality if not changing as administrator
365      */
366 
367     if (krb5_principal_compare(context, admin_principal, principal) == TRUE) {
368 
369 	pwd_reason = kadm5_check_password_quality (context, principal,
370 						   pwd_data);
371 	if (pwd_reason != NULL ) {
372 	    krb5_warnx (context,
373 			"%s didn't pass password quality check with error: %s",
374 			client, pwd_reason);
375 	    reply_priv (auth_context, s, sa, sa_size,
376 			KRB5_KPASSWD_SOFTERROR, pwd_reason);
377 	    goto out;
378 	}
379 	krb5_warnx (context, "Changing password for %s", client);
380     } else {
381 	ret = _kadm5_acl_check_permission(kadm5_handle, KADM5_PRIV_CPW,
382 					  principal);
383 	if (ret) {
384 	    krb5_warn (context, ret,
385 		       "Check ACL failed for %s for changing %s password",
386 		       admin, client);
387 	    reply_priv (auth_context, s, sa, sa_size,
388 			KRB5_KPASSWD_HARDERROR, "permission denied");
389 	    goto out;
390 	}
391 	krb5_warnx (context, "%s is changing password for %s", admin, client);
392     }
393 
394     ret = krb5_data_realloc(pwd_data, pwd_data->length + 1);
395     if (ret) {
396 	krb5_warn (context, ret, "malloc: out of memory");
397 	reply_priv (auth_context, s, sa, sa_size, KRB5_KPASSWD_HARDERROR,
398 		    "Internal error");
399 	goto out;
400     }
401     tmp = pwd_data->data;
402     tmp[pwd_data->length - 1] = '\0';
403 
404     ret = kadm5_s_chpass_principal_cond (kadm5_handle, principal, tmp);
405     krb5_free_data (context, pwd_data);
406     pwd_data = NULL;
407     if (ret) {
408 	const char *str = krb5_get_error_message(context, ret);
409 	krb5_warnx(context, "kadm5_s_chpass_principal_cond: %s", str);
410 	reply_priv (auth_context, s, sa, sa_size, KRB5_KPASSWD_SOFTERROR,
411 		    str ? str : "Internal error");
412 	krb5_free_error_message(context, str);
413 	goto out;
414     }
415     reply_priv (auth_context, s, sa, sa_size, KRB5_KPASSWD_SUCCESS,
416 		"Password changed");
417 out:
418     free_ChangePasswdDataMS(&chpw);
419     if (principal != admin_principal)
420 	krb5_free_principal(context, principal);
421     if (admin)
422 	free(admin);
423     if (client)
424 	free(client);
425     if (pwd_data)
426 	krb5_free_data(context, pwd_data);
427     if (kadm5_handle)
428 	kadm5_destroy (kadm5_handle);
429 }
430 
431 static int
432 verify (krb5_auth_context *auth_context,
433 	krb5_realm *realms,
434 	krb5_keytab keytab,
435 	krb5_ticket **ticket,
436 	krb5_data *out_data,
437 	uint16_t *version,
438 	int s,
439 	struct sockaddr *sa,
440 	int sa_size,
441 	u_char *msg,
442 	size_t len,
443 	krb5_address *client_addr)
444 {
445     krb5_error_code ret;
446     uint16_t pkt_len, pkt_ver, ap_req_len;
447     krb5_data ap_req_data;
448     krb5_data krb_priv_data;
449     krb5_realm *r;
450 
451     /*
452      * Only send an error reply if the request passes basic length
453      * verification.  Otherwise, kpasswdd would reply to every UDP packet,
454      * allowing an attacker to set up a ping-pong DoS attack via a spoofed UDP
455      * packet with a source address of another UDP service that also replies
456      * to every packet.
457      *
458      * Also suppress the error reply if ap_req_len is 0, which indicates
459      * either an invalid request or an error packet.  An error packet may be
460      * the result of a ping-pong attacker pointing us at another kpasswdd.
461      */
462     pkt_len = (msg[0] << 8) | (msg[1]);
463     pkt_ver = (msg[2] << 8) | (msg[3]);
464     ap_req_len = (msg[4] << 8) | (msg[5]);
465     if (pkt_len != len) {
466 	krb5_warnx (context, "Strange len: %ld != %ld",
467 		    (long)pkt_len, (long)len);
468 	return 1;
469     }
470     if (ap_req_len == 0) {
471 	krb5_warnx (context, "Request is error packet (ap_req_len == 0)");
472 	return 1;
473     }
474     if (pkt_ver != KRB5_KPASSWD_VERS_CHANGEPW &&
475 	pkt_ver != KRB5_KPASSWD_VERS_SETPW) {
476 	krb5_warnx (context, "Bad version (%d)", pkt_ver);
477 	reply_error (NULL, s, sa, sa_size, 0, 1, "Wrong program version");
478 	return 1;
479     }
480     *version = pkt_ver;
481 
482     ap_req_data.data   = msg + 6;
483     ap_req_data.length = ap_req_len;
484 
485     ret = krb5_rd_req (context,
486 		       auth_context,
487 		       &ap_req_data,
488 		       NULL,
489 		       keytab,
490 		       NULL,
491 		       ticket);
492     if (ret) {
493 	krb5_warn (context, ret, "krb5_rd_req");
494 	reply_error (NULL, s, sa, sa_size, ret, 3, "Authentication failed");
495 	return 1;
496     }
497 
498     /* verify realm and principal */
499     for (r = realms; *r != NULL; r++) {
500 	krb5_principal principal;
501 	krb5_boolean same;
502 
503 	ret = krb5_make_principal (context,
504 				   &principal,
505 				   *r,
506 				   "kadmin",
507 				   "changepw",
508 				   NULL);
509 	if (ret)
510 	    krb5_err (context, 1, ret, "krb5_make_principal");
511 
512 	same = krb5_principal_compare(context, principal, (*ticket)->server);
513 	krb5_free_principal(context, principal);
514 	if (same == TRUE)
515 	    break;
516     }
517     if (*r == NULL) {
518 	char *str;
519 	krb5_unparse_name(context, (*ticket)->server, &str);
520 	krb5_warnx (context, "client used not valid principal %s", str);
521 	free(str);
522 	reply_error (NULL, s, sa, sa_size, ret, 1,
523 		     "Bad request");
524 	goto out;
525     }
526 
527     if (strcmp((*ticket)->server->realm, (*ticket)->client->realm) != 0) {
528 	krb5_warnx (context, "server realm (%s) not same a client realm (%s)",
529 		    (*ticket)->server->realm, (*ticket)->client->realm);
530 	reply_error ((*ticket)->server->realm, s, sa, sa_size, ret, 1,
531 		     "Bad request");
532 	goto out;
533     }
534 
535     if (!(*ticket)->ticket.flags.initial) {
536 	krb5_warnx (context, "initial flag not set");
537 	reply_error ((*ticket)->server->realm, s, sa, sa_size, ret, 1,
538 		     "Bad request");
539 	goto out;
540     }
541     krb_priv_data.data   = msg + 6 + ap_req_len;
542     krb_priv_data.length = len - 6 - ap_req_len;
543 
544     /*
545      * Only enforce client addresses on on tickets with addresses.  If
546      * its addressless, we are guessing its behind NAT and really
547      * can't know this information.
548      */
549 
550     if ((*ticket)->ticket.caddr && (*ticket)->ticket.caddr->len > 0) {
551 	ret = krb5_auth_con_setaddrs (context, *auth_context,
552 				      NULL, client_addr);
553 	if (ret) {
554 	    krb5_warn (context, ret, "krb5_auth_con_setaddr(this)");
555 	    goto out;
556 	}
557     }
558 
559     ret = krb5_rd_priv (context,
560 			*auth_context,
561 			&krb_priv_data,
562 			out_data,
563 			NULL);
564 
565     if (ret) {
566 	krb5_warn (context, ret, "krb5_rd_priv");
567 	reply_error ((*ticket)->server->realm, s, sa, sa_size, ret, 3,
568 		     "Bad request");
569 	goto out;
570     }
571     return 0;
572 out:
573     krb5_free_ticket (context, *ticket);
574     ticket = NULL;
575     return 1;
576 }
577 
578 static void
579 process (krb5_realm *realms,
580 	 krb5_keytab keytab,
581 	 int s,
582 	 krb5_address *this_addr,
583 	 struct sockaddr *sa,
584 	 int sa_size,
585 	 u_char *msg,
586 	 int len)
587 {
588     krb5_error_code ret;
589     krb5_auth_context auth_context = NULL;
590     krb5_data out_data;
591     krb5_ticket *ticket;
592     krb5_address other_addr;
593     uint16_t version;
594 
595     memset(&other_addr, 0, sizeof(other_addr));
596     krb5_data_zero (&out_data);
597 
598     ret = krb5_auth_con_init (context, &auth_context);
599     if (ret) {
600 	krb5_warn (context, ret, "krb5_auth_con_init");
601 	return;
602     }
603 
604     krb5_auth_con_setflags (context, auth_context,
605 			    KRB5_AUTH_CONTEXT_DO_SEQUENCE);
606 
607     ret = krb5_sockaddr2address (context, sa, &other_addr);
608     if (ret) {
609 	krb5_warn (context, ret, "krb5_sockaddr2address");
610 	goto out;
611     }
612 
613     ret = krb5_auth_con_setaddrs (context, auth_context, this_addr, NULL);
614     if (ret) {
615 	krb5_warn (context, ret, "krb5_auth_con_setaddr(this)");
616 	goto out;
617     }
618 
619     if (verify (&auth_context, realms, keytab, &ticket, &out_data,
620 		&version, s, sa, sa_size, msg, len, &other_addr) == 0)
621     {
622 	/*
623 	 * We always set the client_addr, to assume that the client
624 	 * can ignore it if it choose to do so (just the server does
625 	 * so for addressless tickets).
626 	 */
627 	ret = krb5_auth_con_setaddrs (context, auth_context,
628 				      this_addr, &other_addr);
629 	if (ret) {
630 	    krb5_warn (context, ret, "krb5_auth_con_setaddr(other)");
631 	    goto out;
632 	}
633 
634 	change (auth_context,
635 		ticket->client,
636 		version,
637 		s,
638 		sa, sa_size,
639 		&out_data);
640 	memset (out_data.data, 0, out_data.length);
641 	krb5_free_ticket (context, ticket);
642     }
643 
644 out:
645     krb5_free_address(context, &other_addr);
646     krb5_data_free(&out_data);
647     krb5_auth_con_free(context, auth_context);
648 }
649 
650 static int
651 doit (krb5_keytab keytab, int port)
652 {
653     krb5_error_code ret;
654     int *sockets;
655     int maxfd;
656     krb5_realm *realms;
657     krb5_addresses addrs;
658     unsigned n, i;
659     fd_set real_fdset;
660     struct sockaddr_storage __ss;
661     struct sockaddr *sa = (struct sockaddr *)&__ss;
662 
663     ret = krb5_get_default_realms(context, &realms);
664     if (ret)
665 	krb5_err (context, 1, ret, "krb5_get_default_realms");
666 
667     if (explicit_addresses.len) {
668 	addrs = explicit_addresses;
669     } else {
670 	ret = krb5_get_all_server_addrs (context, &addrs);
671 	if (ret)
672 	    krb5_err (context, 1, ret, "krb5_get_all_server_addrs");
673     }
674     n = addrs.len;
675 
676     sockets = malloc (n * sizeof(*sockets));
677     if (sockets == NULL)
678 	krb5_errx (context, 1, "out of memory");
679     maxfd = -1;
680     FD_ZERO(&real_fdset);
681     for (i = 0; i < n; ++i) {
682 	krb5_socklen_t sa_size = sizeof(__ss);
683 
684 	krb5_addr2sockaddr (context, &addrs.val[i], sa, &sa_size, port);
685 
686 	sockets[i] = socket (sa->sa_family, SOCK_DGRAM, 0);
687 	if (sockets[i] < 0)
688 	    krb5_err (context, 1, errno, "socket");
689 	if (bind (sockets[i], sa, sa_size) < 0) {
690 	    char str[128];
691 	    size_t len;
692 	    int save_errno = errno;
693 
694 	    ret = krb5_print_address (&addrs.val[i], str, sizeof(str), &len);
695 	    if (ret)
696 		strlcpy(str, "unknown address", sizeof(str));
697 	    krb5_warn (context, save_errno, "bind(%s)", str);
698 	    continue;
699 	}
700 	maxfd = max (maxfd, sockets[i]);
701 	if (maxfd >= FD_SETSIZE)
702 	    krb5_errx (context, 1, "fd too large");
703 	FD_SET(sockets[i], &real_fdset);
704     }
705     if (maxfd == -1)
706 	krb5_errx (context, 1, "No sockets!");
707 
708     while(exit_flag == 0) {
709 	krb5_ssize_t retx;
710 	fd_set fdset = real_fdset;
711 
712 	retx = select (maxfd + 1, &fdset, NULL, NULL, NULL);
713 	if (retx < 0) {
714 	    if (errno == EINTR)
715 		continue;
716 	    else
717 		krb5_err (context, 1, errno, "select");
718 	}
719 	for (i = 0; i < n; ++i)
720 	    if (FD_ISSET(sockets[i], &fdset)) {
721 		u_char buf[BUFSIZ];
722 		socklen_t addrlen = sizeof(__ss);
723 
724 		retx = recvfrom(sockets[i], buf, sizeof(buf), 0,
725 				sa, &addrlen);
726 		if (retx < 0) {
727 		    if(errno == EINTR)
728 			break;
729 		    else
730 			krb5_err (context, 1, errno, "recvfrom");
731 		}
732 
733 		process (realms, keytab, sockets[i],
734 			 &addrs.val[i],
735 			 sa, addrlen,
736 			 buf, retx);
737 	    }
738     }
739 
740     for (i = 0; i < n; ++i)
741 	close(sockets[i]);
742     free(sockets);
743 
744     krb5_free_addresses (context, &addrs);
745     krb5_free_host_realm (context, realms);
746     krb5_free_context (context);
747     return 0;
748 }
749 
750 static RETSIGTYPE
751 sigterm(int sig)
752 {
753     exit_flag = 1;
754 }
755 
756 static const char *check_library  = NULL;
757 static const char *check_function = NULL;
758 static getarg_strings policy_libraries = { 0, NULL };
759 static char sHDB[] = "HDB:";
760 static char *keytab_str = sHDB;
761 static char *realm_str;
762 static int version_flag;
763 static int help_flag;
764 static char *port_str;
765 static char *config_file;
766 
767 struct getargs args[] = {
768 #ifdef HAVE_DLOPEN
769     { "check-library", 0, arg_string, &check_library,
770       "library to load password check function from", "library" },
771     { "check-function", 0, arg_string, &check_function,
772       "password check function to load", "function" },
773     { "policy-libraries", 0, arg_strings, &policy_libraries,
774       "password check function to load", "function" },
775 #endif
776     { "addresses",	0,	arg_strings, &addresses_str,
777       "addresses to listen on", "list of addresses" },
778     { "keytab", 'k', arg_string, &keytab_str,
779       "keytab to get authentication key from", "kspec" },
780     { "config-file", 'c', arg_string, &config_file, NULL, NULL },
781     { "realm", 'r', arg_string, &realm_str, "default realm", "realm" },
782     { "port",  'p', arg_string, &port_str, "port", NULL },
783     { "version", 0, arg_flag, &version_flag, NULL, NULL },
784     { "help", 0, arg_flag, &help_flag, NULL, NULL }
785 };
786 int num_args = sizeof(args) / sizeof(args[0]);
787 
788 int
789 main (int argc, char **argv)
790 {
791     krb5_keytab keytab;
792     krb5_error_code ret;
793     char **files;
794     int port, i;
795 
796     krb5_program_setup(&context, argc, argv, args, num_args, NULL);
797 
798     if(help_flag)
799 	krb5_std_usage(0, args, num_args);
800     if(version_flag) {
801 	print_version(NULL);
802 	exit(0);
803     }
804 
805     if (config_file == NULL) {
806 	asprintf(&config_file, "%s/kdc.conf", hdb_db_dir(context));
807 	if (config_file == NULL)
808 	    errx(1, "out of memory");
809     }
810 
811     ret = krb5_prepend_config_files_default(config_file, &files);
812     if (ret)
813 	krb5_err(context, 1, ret, "getting configuration files");
814 
815     ret = krb5_set_config_files(context, files);
816     krb5_free_config_files(files);
817     if (ret)
818 	krb5_err(context, 1, ret, "reading configuration files");
819 
820     if(realm_str)
821 	krb5_set_default_realm(context, realm_str);
822 
823     krb5_openlog (context, "kpasswdd", &log_facility);
824     krb5_set_warn_dest(context, log_facility);
825 
826     if (port_str != NULL) {
827 	struct servent *s = roken_getservbyname (port_str, "udp");
828 
829 	if (s != NULL)
830 	    port = s->s_port;
831 	else {
832 	    char *ptr;
833 
834 	    port = strtol (port_str, &ptr, 10);
835 	    if (port == 0 && ptr == port_str)
836 		krb5_errx (context, 1, "bad port `%s'", port_str);
837 	    port = htons(port);
838 	}
839     } else
840 	port = krb5_getportbyname (context, "kpasswd", "udp", KPASSWD_PORT);
841 
842     ret = krb5_kt_register(context, &hdb_kt_ops);
843     if(ret)
844 	krb5_err(context, 1, ret, "krb5_kt_register");
845 
846     ret = krb5_kt_resolve(context, keytab_str, &keytab);
847     if(ret)
848 	krb5_err(context, 1, ret, "%s", keytab_str);
849 
850     kadm5_setup_passwd_quality_check (context, check_library, check_function);
851 
852     for (i = 0; i < policy_libraries.num_strings; i++) {
853 	ret = kadm5_add_passwd_quality_verifier(context,
854 						policy_libraries.strings[i]);
855 	if (ret)
856 	    krb5_err(context, 1, ret, "kadm5_add_passwd_quality_verifier");
857     }
858     ret = kadm5_add_passwd_quality_verifier(context, NULL);
859     if (ret)
860 	krb5_err(context, 1, ret, "kadm5_add_passwd_quality_verifier");
861 
862 
863     explicit_addresses.len = 0;
864 
865     if (addresses_str.num_strings) {
866 	int j;
867 
868 	for (j = 0; j < addresses_str.num_strings; ++j)
869 	    add_one_address (addresses_str.strings[j], j == 0);
870 	free_getarg_strings (&addresses_str);
871     } else {
872 	char **foo = krb5_config_get_strings (context, NULL,
873 					      "kdc", "addresses", NULL);
874 
875 	if (foo != NULL) {
876 	    add_one_address (*foo++, TRUE);
877 	    while (*foo)
878 		add_one_address (*foo++, FALSE);
879 	}
880     }
881 
882 #ifdef HAVE_SIGACTION
883     {
884 	struct sigaction sa;
885 
886 	sa.sa_flags = 0;
887 	sa.sa_handler = sigterm;
888 	sigemptyset(&sa.sa_mask);
889 
890 	sigaction(SIGINT,  &sa, NULL);
891 	sigaction(SIGTERM, &sa, NULL);
892     }
893 #else
894     signal(SIGINT,  sigterm);
895     signal(SIGTERM, sigterm);
896 #endif
897 
898     pidfile(NULL);
899 
900     return doit (keytab, port);
901 }
902