17c478bd9Sstevel@tonic-gate /* 27c478bd9Sstevel@tonic-gate * CDDL HEADER START 37c478bd9Sstevel@tonic-gate * 47c478bd9Sstevel@tonic-gate * The contents of this file are subject to the terms of the 57c478bd9Sstevel@tonic-gate * Common Development and Distribution License, Version 1.0 only 67c478bd9Sstevel@tonic-gate * (the "License"). You may not use this file except in compliance 77c478bd9Sstevel@tonic-gate * with the License. 87c478bd9Sstevel@tonic-gate * 97c478bd9Sstevel@tonic-gate * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 107c478bd9Sstevel@tonic-gate * or http://www.opensolaris.org/os/licensing. 117c478bd9Sstevel@tonic-gate * See the License for the specific language governing permissions 127c478bd9Sstevel@tonic-gate * and limitations under the License. 137c478bd9Sstevel@tonic-gate * 147c478bd9Sstevel@tonic-gate * When distributing Covered Code, include this CDDL HEADER in each 157c478bd9Sstevel@tonic-gate * file and include the License file at usr/src/OPENSOLARIS.LICENSE. 167c478bd9Sstevel@tonic-gate * If applicable, add the following below this CDDL HEADER, with the 177c478bd9Sstevel@tonic-gate * fields enclosed by brackets "[]" replaced with your own identifying 187c478bd9Sstevel@tonic-gate * information: Portions Copyright [yyyy] [name of copyright owner] 197c478bd9Sstevel@tonic-gate * 207c478bd9Sstevel@tonic-gate * CDDL HEADER END 217c478bd9Sstevel@tonic-gate */ 227c478bd9Sstevel@tonic-gate /* 23*49e7ca49Speteh * Copyright 2005 Sun Microsystems, Inc. All rights reserved. 247c478bd9Sstevel@tonic-gate * Use is subject to license terms. 257c478bd9Sstevel@tonic-gate */ 267c478bd9Sstevel@tonic-gate 277c478bd9Sstevel@tonic-gate /* Copyright (c) 1984, 1986, 1987, 1988, 1989 AT&T */ 287c478bd9Sstevel@tonic-gate /* All Rights Reserved */ 297c478bd9Sstevel@tonic-gate 307c478bd9Sstevel@tonic-gate /* 317c478bd9Sstevel@tonic-gate * University Copyright- Copyright (c) 1982, 1986, 1988 327c478bd9Sstevel@tonic-gate * The Regents of the University of California 337c478bd9Sstevel@tonic-gate * All Rights Reserved 347c478bd9Sstevel@tonic-gate * 357c478bd9Sstevel@tonic-gate * University Acknowledgment- Portions of this document are derived from 367c478bd9Sstevel@tonic-gate * software developed by the University of California, Berkeley, and its 377c478bd9Sstevel@tonic-gate * contributors. 387c478bd9Sstevel@tonic-gate */ 397c478bd9Sstevel@tonic-gate 407c478bd9Sstevel@tonic-gate #pragma ident "%Z%%M% %I% %E% SMI" 417c478bd9Sstevel@tonic-gate 427c478bd9Sstevel@tonic-gate /* 437c478bd9Sstevel@tonic-gate * Administrative tool to add a new user to the publickey database 447c478bd9Sstevel@tonic-gate */ 457c478bd9Sstevel@tonic-gate #include <stdio.h> 467c478bd9Sstevel@tonic-gate #include <stdlib.h> 477c478bd9Sstevel@tonic-gate #include <rpc/rpc.h> 487c478bd9Sstevel@tonic-gate #include <rpc/key_prot.h> 497c478bd9Sstevel@tonic-gate #include <rpcsvc/ypclnt.h> 507c478bd9Sstevel@tonic-gate #include <sys/wait.h> 517c478bd9Sstevel@tonic-gate #include <netdb.h> 527c478bd9Sstevel@tonic-gate #include <pwd.h> 537c478bd9Sstevel@tonic-gate #include <shadow.h> 547c478bd9Sstevel@tonic-gate #include <crypt.h> 557c478bd9Sstevel@tonic-gate #include <string.h> 567c478bd9Sstevel@tonic-gate #include <sys/resource.h> 577c478bd9Sstevel@tonic-gate #include <netdir.h> 587c478bd9Sstevel@tonic-gate #include <rpcsvc/nis.h> 597c478bd9Sstevel@tonic-gate 607c478bd9Sstevel@tonic-gate #define MAXMAPNAMELEN 256 617c478bd9Sstevel@tonic-gate #define MAXPASSWD 256 /* max significant characters in password */ 627c478bd9Sstevel@tonic-gate 637c478bd9Sstevel@tonic-gate #define PK_FILES 1 647c478bd9Sstevel@tonic-gate #define PK_YP 2 657c478bd9Sstevel@tonic-gate #define PK_NISPLUS 3 667c478bd9Sstevel@tonic-gate #define PK_LDAP 4 677c478bd9Sstevel@tonic-gate 687c478bd9Sstevel@tonic-gate extern int optind; 697c478bd9Sstevel@tonic-gate extern char *optarg; 707c478bd9Sstevel@tonic-gate extern char *get_nisplus_principal(); 717c478bd9Sstevel@tonic-gate extern int __getnetnamebyuid(); 727c478bd9Sstevel@tonic-gate extern int self_check(char *name); 737c478bd9Sstevel@tonic-gate 747c478bd9Sstevel@tonic-gate #define local_host(host_name) self_check(host_name) 757c478bd9Sstevel@tonic-gate 767c478bd9Sstevel@tonic-gate char *program_name; 777c478bd9Sstevel@tonic-gate int pk_database; 787c478bd9Sstevel@tonic-gate static char *get_password(); 797c478bd9Sstevel@tonic-gate static char *basename(); 807c478bd9Sstevel@tonic-gate static char SHELL[] = "/bin/sh"; 817c478bd9Sstevel@tonic-gate static char YPDBPATH[] = "/var/yp"; 827c478bd9Sstevel@tonic-gate static char PKMAP[] = "publickey.byname"; 837c478bd9Sstevel@tonic-gate static char UPDATEFILE[] = "updaters"; 847c478bd9Sstevel@tonic-gate static char PKFILE[] = "/etc/publickey"; 85*49e7ca49Speteh static void usage(void); 867c478bd9Sstevel@tonic-gate 87*49e7ca49Speteh int 88*49e7ca49Speteh main(int argc, char *argv[]) 897c478bd9Sstevel@tonic-gate { 907c478bd9Sstevel@tonic-gate char name[MAXNETNAMELEN + 1]; 917c478bd9Sstevel@tonic-gate char public[HEXKEYBYTES + 1]; 927c478bd9Sstevel@tonic-gate char secret[HEXKEYBYTES + 1]; 937c478bd9Sstevel@tonic-gate char crypt1[HEXKEYBYTES + KEYCHECKSUMSIZE + 1]; 947c478bd9Sstevel@tonic-gate int status; 957c478bd9Sstevel@tonic-gate char *pass, *target_host = NULL, 967c478bd9Sstevel@tonic-gate *username = NULL, *pk_service = NULL; 977c478bd9Sstevel@tonic-gate struct passwd *pw; 987c478bd9Sstevel@tonic-gate NCONF_HANDLE *nc_handle; 997c478bd9Sstevel@tonic-gate struct netconfig *nconf; 1007c478bd9Sstevel@tonic-gate struct nd_hostserv service; 1017c478bd9Sstevel@tonic-gate struct nd_addrlist *addrs; 1027c478bd9Sstevel@tonic-gate bool_t validhost; 1037c478bd9Sstevel@tonic-gate uid_t uid; 1047c478bd9Sstevel@tonic-gate int c; 1057c478bd9Sstevel@tonic-gate char *nprinc = NULL; /* nisplus principal name */ 1067c478bd9Sstevel@tonic-gate char host_pname[NIS_MAXNAMELEN]; 1077c478bd9Sstevel@tonic-gate 1087c478bd9Sstevel@tonic-gate program_name = argv[0]; 1097c478bd9Sstevel@tonic-gate while ((c = getopt(argc, argv, "s:u:h:")) != -1) { 1107c478bd9Sstevel@tonic-gate switch (c) { 1117c478bd9Sstevel@tonic-gate case 's': 1127c478bd9Sstevel@tonic-gate if (pk_service == NULL) 1137c478bd9Sstevel@tonic-gate pk_service = optarg; 1147c478bd9Sstevel@tonic-gate else 1157c478bd9Sstevel@tonic-gate usage(); 1167c478bd9Sstevel@tonic-gate break; 1177c478bd9Sstevel@tonic-gate case 'u': 1187c478bd9Sstevel@tonic-gate if (username || target_host) 1197c478bd9Sstevel@tonic-gate usage(); 1207c478bd9Sstevel@tonic-gate username = optarg; 1217c478bd9Sstevel@tonic-gate break; 1227c478bd9Sstevel@tonic-gate case 'h': 1237c478bd9Sstevel@tonic-gate if (username || target_host) 1247c478bd9Sstevel@tonic-gate usage(); 1257c478bd9Sstevel@tonic-gate target_host = optarg; 1267c478bd9Sstevel@tonic-gate break; 1277c478bd9Sstevel@tonic-gate default: 1287c478bd9Sstevel@tonic-gate usage(); 1297c478bd9Sstevel@tonic-gate } 1307c478bd9Sstevel@tonic-gate } 1317c478bd9Sstevel@tonic-gate 1327c478bd9Sstevel@tonic-gate if (optind < argc || (username == 0 && target_host == 0)) { 1337c478bd9Sstevel@tonic-gate usage(); 1347c478bd9Sstevel@tonic-gate } 1357c478bd9Sstevel@tonic-gate 1367c478bd9Sstevel@tonic-gate if ((pk_database = get_pk_source(pk_service)) == 0) 1377c478bd9Sstevel@tonic-gate usage(); 1387c478bd9Sstevel@tonic-gate 1397c478bd9Sstevel@tonic-gate if (geteuid() != 0) { 1407c478bd9Sstevel@tonic-gate (void) fprintf(stderr, "Must be superuser to run %s\n", 1417c478bd9Sstevel@tonic-gate program_name); 1427c478bd9Sstevel@tonic-gate exit(1); 1437c478bd9Sstevel@tonic-gate } 1447c478bd9Sstevel@tonic-gate 1457c478bd9Sstevel@tonic-gate if (username) { 1467c478bd9Sstevel@tonic-gate pw = getpwnam(username); 1477c478bd9Sstevel@tonic-gate if (pw == NULL) { 1487c478bd9Sstevel@tonic-gate (void) fprintf(stderr, "%s: unknown user: '%s'\n", 1497c478bd9Sstevel@tonic-gate program_name, username); 1507c478bd9Sstevel@tonic-gate exit(1); 1517c478bd9Sstevel@tonic-gate } 1527c478bd9Sstevel@tonic-gate uid = pw->pw_uid; 1537c478bd9Sstevel@tonic-gate if (uid == 0) { 1547c478bd9Sstevel@tonic-gate if (! getnetname(name)) { 1557c478bd9Sstevel@tonic-gate (void) fprintf(stderr, 1567c478bd9Sstevel@tonic-gate "%s: could not get the equivalent netname for %s\n", 1577c478bd9Sstevel@tonic-gate program_name, username); 1587c478bd9Sstevel@tonic-gate usage(); 1597c478bd9Sstevel@tonic-gate } 1607c478bd9Sstevel@tonic-gate if (pk_database == PK_NISPLUS) 1617c478bd9Sstevel@tonic-gate target_host = nis_local_host(); 1627c478bd9Sstevel@tonic-gate else { 1637c478bd9Sstevel@tonic-gate if (gethostname(host_pname, NIS_MAXNAMELEN) 1647c478bd9Sstevel@tonic-gate < 0) { 1657c478bd9Sstevel@tonic-gate (void) fprintf(stderr, 1667c478bd9Sstevel@tonic-gate "%s: could not get the hostname for %s\n", 1677c478bd9Sstevel@tonic-gate program_name, username); 1687c478bd9Sstevel@tonic-gate usage(); 1697c478bd9Sstevel@tonic-gate } 1707c478bd9Sstevel@tonic-gate target_host = host_pname; 1717c478bd9Sstevel@tonic-gate } 1727c478bd9Sstevel@tonic-gate } 1737c478bd9Sstevel@tonic-gate if (__getnetnamebyuid(name, uid) == 0) { 1747c478bd9Sstevel@tonic-gate (void) fprintf(stderr, 1757c478bd9Sstevel@tonic-gate "%s: could not get the equivalent netname for %s\n", 1767c478bd9Sstevel@tonic-gate program_name, username); 1777c478bd9Sstevel@tonic-gate usage(); 1787c478bd9Sstevel@tonic-gate } 1797c478bd9Sstevel@tonic-gate if (pk_database == PK_NISPLUS) 1807c478bd9Sstevel@tonic-gate nprinc = get_nisplus_principal(nis_local_directory(), 1817c478bd9Sstevel@tonic-gate uid); 1827c478bd9Sstevel@tonic-gate } else { 1837c478bd9Sstevel@tonic-gate /* -h hostname option */ 1847c478bd9Sstevel@tonic-gate service.h_host = target_host; 1857c478bd9Sstevel@tonic-gate service.h_serv = NULL; 1867c478bd9Sstevel@tonic-gate validhost = FALSE; 1877c478bd9Sstevel@tonic-gate /* verify if this is a valid hostname */ 1887c478bd9Sstevel@tonic-gate nc_handle = setnetconfig(); 1897c478bd9Sstevel@tonic-gate if (nc_handle == NULL) { 1907c478bd9Sstevel@tonic-gate /* fails to open netconfig file */ 1917c478bd9Sstevel@tonic-gate (void) fprintf(stderr, 1927c478bd9Sstevel@tonic-gate "%s: failed in routine setnetconfig()\n", 1937c478bd9Sstevel@tonic-gate program_name); 1947c478bd9Sstevel@tonic-gate exit(2); 1957c478bd9Sstevel@tonic-gate } 1967c478bd9Sstevel@tonic-gate while (nconf = getnetconfig(nc_handle)) { 1977c478bd9Sstevel@tonic-gate /* check to see if hostname exists for this transport */ 1987c478bd9Sstevel@tonic-gate if ((netdir_getbyname(nconf, &service, &addrs) == 0) && 1997c478bd9Sstevel@tonic-gate (addrs->n_cnt != 0)) { 2007c478bd9Sstevel@tonic-gate /* at least one valid address */ 2017c478bd9Sstevel@tonic-gate validhost = TRUE; 2027c478bd9Sstevel@tonic-gate break; 2037c478bd9Sstevel@tonic-gate } 2047c478bd9Sstevel@tonic-gate } 2057c478bd9Sstevel@tonic-gate endnetconfig(nc_handle); 2067c478bd9Sstevel@tonic-gate if (!validhost) { 2077c478bd9Sstevel@tonic-gate (void) fprintf(stderr, "%s: unknown host: %s\n", 2087c478bd9Sstevel@tonic-gate program_name, target_host); 2097c478bd9Sstevel@tonic-gate exit(1); 2107c478bd9Sstevel@tonic-gate } 2117c478bd9Sstevel@tonic-gate (void) host2netname(name, target_host, (char *)NULL); 2127c478bd9Sstevel@tonic-gate if (pk_database == PK_NISPLUS) { 2137c478bd9Sstevel@tonic-gate if (target_host[strlen(target_host) - 1] != '.') { 2147c478bd9Sstevel@tonic-gate sprintf(host_pname, "%s.%s", 2157c478bd9Sstevel@tonic-gate target_host, nis_local_directory()); 2167c478bd9Sstevel@tonic-gate nprinc = host_pname; 2177c478bd9Sstevel@tonic-gate } else 2187c478bd9Sstevel@tonic-gate nprinc = target_host; 2197c478bd9Sstevel@tonic-gate } 2207c478bd9Sstevel@tonic-gate uid = 0; 2217c478bd9Sstevel@tonic-gate } 2227c478bd9Sstevel@tonic-gate 2237c478bd9Sstevel@tonic-gate (void) fprintf(stdout, "Adding new key for %s.\n", name); 2247c478bd9Sstevel@tonic-gate pass = get_password(uid, target_host, username); 2257c478bd9Sstevel@tonic-gate 2267c478bd9Sstevel@tonic-gate if (pass == NULL) 2277c478bd9Sstevel@tonic-gate exit(1); 2287c478bd9Sstevel@tonic-gate 2297c478bd9Sstevel@tonic-gate (void) __gen_dhkeys(public, secret, pass); 2307c478bd9Sstevel@tonic-gate 2317c478bd9Sstevel@tonic-gate memcpy(crypt1, secret, HEXKEYBYTES); 2327c478bd9Sstevel@tonic-gate memcpy(crypt1 + HEXKEYBYTES, secret, KEYCHECKSUMSIZE); 2337c478bd9Sstevel@tonic-gate crypt1[HEXKEYBYTES + KEYCHECKSUMSIZE] = 0; 2347c478bd9Sstevel@tonic-gate xencrypt(crypt1, pass); 2357c478bd9Sstevel@tonic-gate 2367c478bd9Sstevel@tonic-gate if (status = setpublicmap(name, public, crypt1, pk_database, 2377c478bd9Sstevel@tonic-gate nprinc, pass)) { 2387c478bd9Sstevel@tonic-gate switch (pk_database) { 2397c478bd9Sstevel@tonic-gate case PK_YP: 2407c478bd9Sstevel@tonic-gate (void) fprintf(stderr, 2417c478bd9Sstevel@tonic-gate "%s: unable to update NIS database (%u): %s\n", 2427c478bd9Sstevel@tonic-gate program_name, status, 2437c478bd9Sstevel@tonic-gate yperr_string(status)); 2447c478bd9Sstevel@tonic-gate break; 2457c478bd9Sstevel@tonic-gate case PK_FILES: 2467c478bd9Sstevel@tonic-gate (void) fprintf(stderr, 2477c478bd9Sstevel@tonic-gate "%s: hence, unable to update publickey database\n", 2487c478bd9Sstevel@tonic-gate program_name); 2497c478bd9Sstevel@tonic-gate break; 2507c478bd9Sstevel@tonic-gate case PK_NISPLUS: 2517c478bd9Sstevel@tonic-gate (void) fprintf(stderr, 2527c478bd9Sstevel@tonic-gate "%s: unable to update nisplus database\n", 2537c478bd9Sstevel@tonic-gate program_name); 2547c478bd9Sstevel@tonic-gate break; 2557c478bd9Sstevel@tonic-gate default: 2567c478bd9Sstevel@tonic-gate (void) fprintf(stderr, 2577c478bd9Sstevel@tonic-gate "%s: could not update unknown database: %d\n", 2587c478bd9Sstevel@tonic-gate program_name, pk_database); 2597c478bd9Sstevel@tonic-gate } 2607c478bd9Sstevel@tonic-gate exit(1); 2617c478bd9Sstevel@tonic-gate } 262*49e7ca49Speteh return (0); 2637c478bd9Sstevel@tonic-gate } 2647c478bd9Sstevel@tonic-gate 2657c478bd9Sstevel@tonic-gate /* 2667c478bd9Sstevel@tonic-gate * Set the entry in the public key file 2677c478bd9Sstevel@tonic-gate */ 268*49e7ca49Speteh int 2697c478bd9Sstevel@tonic-gate setpublicmap(name, public, secret, database, nis_princ, pw) 2707c478bd9Sstevel@tonic-gate int database; 2717c478bd9Sstevel@tonic-gate char *name; 2727c478bd9Sstevel@tonic-gate char *public; 2737c478bd9Sstevel@tonic-gate char *secret; 2747c478bd9Sstevel@tonic-gate nis_name nis_princ; 2757c478bd9Sstevel@tonic-gate char *pw; 2767c478bd9Sstevel@tonic-gate { 2777c478bd9Sstevel@tonic-gate char pkent[HEXKEYBYTES + HEXKEYBYTES + KEYCHECKSUMSIZE + 2]; 2787c478bd9Sstevel@tonic-gate char *domain = NULL; 2797c478bd9Sstevel@tonic-gate char *master = NULL; 2807c478bd9Sstevel@tonic-gate char hostname[MAXHOSTNAMELEN+1]; 2817c478bd9Sstevel@tonic-gate 2827c478bd9Sstevel@tonic-gate (void) sprintf(pkent, "%s:%s", public, secret); 2837c478bd9Sstevel@tonic-gate switch (database) { 2847c478bd9Sstevel@tonic-gate case PK_YP: 2857c478bd9Sstevel@tonic-gate /* check that we're on the master server */ 2867c478bd9Sstevel@tonic-gate (void) yp_get_default_domain(&domain); 2877c478bd9Sstevel@tonic-gate if (yp_master(domain, PKMAP, &master) != 0) { 2887c478bd9Sstevel@tonic-gate (void) fprintf(stderr, 2897c478bd9Sstevel@tonic-gate "%s: cannot find master of NIS publickey database\n", 2907c478bd9Sstevel@tonic-gate program_name); 2917c478bd9Sstevel@tonic-gate exit(1); 2927c478bd9Sstevel@tonic-gate } 2937c478bd9Sstevel@tonic-gate if (gethostname(hostname, MAXHOSTNAMELEN) < 0) { 2947c478bd9Sstevel@tonic-gate (void) fprintf(stderr, 2957c478bd9Sstevel@tonic-gate "%s: cannot find my own host name\n", 2967c478bd9Sstevel@tonic-gate program_name); 2977c478bd9Sstevel@tonic-gate exit(1); 2987c478bd9Sstevel@tonic-gate } 2997c478bd9Sstevel@tonic-gate if (strcmp(master, hostname) != 0) { 3007c478bd9Sstevel@tonic-gate (void) fprintf(stderr, 3017c478bd9Sstevel@tonic-gate "%s: can only be used on NIS master machine '%s'\n", 3027c478bd9Sstevel@tonic-gate program_name, master); 3037c478bd9Sstevel@tonic-gate exit(1); 3047c478bd9Sstevel@tonic-gate } 3057c478bd9Sstevel@tonic-gate 3067c478bd9Sstevel@tonic-gate if (chdir(YPDBPATH) < 0) { 3077c478bd9Sstevel@tonic-gate (void) fprintf(stderr, "%s: cannot chdir to %s", 3087c478bd9Sstevel@tonic-gate program_name, YPDBPATH); 3097c478bd9Sstevel@tonic-gate } 3107c478bd9Sstevel@tonic-gate (void) fprintf(stdout, 3117c478bd9Sstevel@tonic-gate "Please wait for the database to get updated ...\n"); 3127c478bd9Sstevel@tonic-gate return (mapupdate(name, PKMAP, YPOP_STORE, pkent)); 3137c478bd9Sstevel@tonic-gate case PK_FILES: 3147c478bd9Sstevel@tonic-gate return (localupdate(name, PKFILE, YPOP_STORE, pkent)); 3157c478bd9Sstevel@tonic-gate case PK_NISPLUS: 3167c478bd9Sstevel@tonic-gate return (nisplus_update(name, public, secret, nis_princ)); 3177c478bd9Sstevel@tonic-gate case PK_LDAP: 3187c478bd9Sstevel@tonic-gate return (ldap_update("dh192-0", name, public, secret, pw)); 3197c478bd9Sstevel@tonic-gate default: 3207c478bd9Sstevel@tonic-gate break; 3217c478bd9Sstevel@tonic-gate } 3227c478bd9Sstevel@tonic-gate return (1); 3237c478bd9Sstevel@tonic-gate } 3247c478bd9Sstevel@tonic-gate 325*49e7ca49Speteh void 326*49e7ca49Speteh usage(void) 3277c478bd9Sstevel@tonic-gate { 3287c478bd9Sstevel@tonic-gate (void) fprintf(stderr, 3297c478bd9Sstevel@tonic-gate "usage:\t%s -u username [-s ldap | nisplus | nis | files]\n", 3307c478bd9Sstevel@tonic-gate program_name); 3317c478bd9Sstevel@tonic-gate (void) fprintf(stderr, 3327c478bd9Sstevel@tonic-gate "\t%s -h hostname [-s ldap | nisplus | nis | files]\n", 3337c478bd9Sstevel@tonic-gate program_name); 3347c478bd9Sstevel@tonic-gate exit(1); 3357c478bd9Sstevel@tonic-gate } 3367c478bd9Sstevel@tonic-gate 3377c478bd9Sstevel@tonic-gate /* 3387c478bd9Sstevel@tonic-gate * The parameters passed into the routine get_password and the 3397c478bd9Sstevel@tonic-gate * return values are as follows: 3407c478bd9Sstevel@tonic-gate * If the -h flag was specified on the command line: 3417c478bd9Sstevel@tonic-gate * (a) username is null 3427c478bd9Sstevel@tonic-gate * (b) target_host is non-null 3437c478bd9Sstevel@tonic-gate * (c) uid is 0 3447c478bd9Sstevel@tonic-gate * (d) the login password of root on target_host is returned 3457c478bd9Sstevel@tonic-gate * 3467c478bd9Sstevel@tonic-gate * If the -u flag was specified on the command line: 3477c478bd9Sstevel@tonic-gate * (a) username is non-null 3487c478bd9Sstevel@tonic-gate * (b) target_host is null in all cases except when username is root; 3497c478bd9Sstevel@tonic-gate * in that case target_host is set to the local host 3507c478bd9Sstevel@tonic-gate * (c) uid is set to the username's uid 3517c478bd9Sstevel@tonic-gate * (d) the login password of the user <username> is returned 3527c478bd9Sstevel@tonic-gate */ 3537c478bd9Sstevel@tonic-gate static char * 3547c478bd9Sstevel@tonic-gate get_password(uid, target_host, username) 3557c478bd9Sstevel@tonic-gate uid_t uid; 3567c478bd9Sstevel@tonic-gate char *target_host; 3577c478bd9Sstevel@tonic-gate char *username; 3587c478bd9Sstevel@tonic-gate { 3597c478bd9Sstevel@tonic-gate static char password[MAXPASSWD+1]; 3607c478bd9Sstevel@tonic-gate char prompt[MAXPASSWD+MAXHOSTNAMELEN+64]; 3617c478bd9Sstevel@tonic-gate char *encrypted_password, 3627c478bd9Sstevel@tonic-gate *login_password = NULL, 3637c478bd9Sstevel@tonic-gate *pass = NULL; 3647c478bd9Sstevel@tonic-gate struct passwd *pw; 3657c478bd9Sstevel@tonic-gate struct spwd *spw; 3667c478bd9Sstevel@tonic-gate 3677c478bd9Sstevel@tonic-gate if ((username != 0) || 3687c478bd9Sstevel@tonic-gate (target_host != 0) && (local_host(target_host))) { 3697c478bd9Sstevel@tonic-gate 3707c478bd9Sstevel@tonic-gate /* 3717c478bd9Sstevel@tonic-gate * "-u username" or "-h localhost" was specified on the 3727c478bd9Sstevel@tonic-gate * command line 3737c478bd9Sstevel@tonic-gate */ 3747c478bd9Sstevel@tonic-gate 3757c478bd9Sstevel@tonic-gate pw = getpwuid(uid); 3767c478bd9Sstevel@tonic-gate 3777c478bd9Sstevel@tonic-gate if (! pw) { 3787c478bd9Sstevel@tonic-gate (void) fprintf(stderr, 3797c478bd9Sstevel@tonic-gate "%s: unable to locate password record for uid %d\n", 3807c478bd9Sstevel@tonic-gate program_name, uid); 3817c478bd9Sstevel@tonic-gate return (0); 3827c478bd9Sstevel@tonic-gate } 3837c478bd9Sstevel@tonic-gate spw = getspnam(pw->pw_name); 3847c478bd9Sstevel@tonic-gate if (spw) 3857c478bd9Sstevel@tonic-gate login_password = spw->sp_pwdp; 3867c478bd9Sstevel@tonic-gate 3877c478bd9Sstevel@tonic-gate if (! login_password || (strlen(login_password) == 0)) { 3887c478bd9Sstevel@tonic-gate (void) fprintf(stderr, 3897c478bd9Sstevel@tonic-gate "%s: unable to locate shadow password record for %s\n", 3907c478bd9Sstevel@tonic-gate program_name, pw->pw_name); 3917c478bd9Sstevel@tonic-gate return (0); 3927c478bd9Sstevel@tonic-gate } 3937c478bd9Sstevel@tonic-gate 3947c478bd9Sstevel@tonic-gate if (uid == 0) { 3957c478bd9Sstevel@tonic-gate (void) sprintf(prompt, "Enter local root login password:"); 3967c478bd9Sstevel@tonic-gate } else 3977c478bd9Sstevel@tonic-gate (void) sprintf(prompt, "Enter %s's login password:", 3987c478bd9Sstevel@tonic-gate pw->pw_name); 3997c478bd9Sstevel@tonic-gate 4007c478bd9Sstevel@tonic-gate pass = getpass(prompt); 4017c478bd9Sstevel@tonic-gate if (pass && strlen(pass) == 0) { 4027c478bd9Sstevel@tonic-gate (void) fprintf(stderr, "%s: Invalid password.\n", 4037c478bd9Sstevel@tonic-gate program_name); 4047c478bd9Sstevel@tonic-gate return (0); 4057c478bd9Sstevel@tonic-gate } 4067c478bd9Sstevel@tonic-gate strcpy(password, pass); 4077c478bd9Sstevel@tonic-gate encrypted_password = crypt(password, login_password); 4087c478bd9Sstevel@tonic-gate 4097c478bd9Sstevel@tonic-gate /* Verify that password supplied matches login password */ 4107c478bd9Sstevel@tonic-gate if (strcmp(encrypted_password, login_password) != 0) { 4117c478bd9Sstevel@tonic-gate /* 4127c478bd9Sstevel@tonic-gate * Give another chance for typo 4137c478bd9Sstevel@tonic-gate */ 4147c478bd9Sstevel@tonic-gate pass = getpass("Please retype password:"); 4157c478bd9Sstevel@tonic-gate if (pass && strlen(pass) == 0) { 4167c478bd9Sstevel@tonic-gate (void) fprintf(stderr, "%s: Invalid password.\n", 4177c478bd9Sstevel@tonic-gate program_name); 4187c478bd9Sstevel@tonic-gate return (0); 4197c478bd9Sstevel@tonic-gate } 4207c478bd9Sstevel@tonic-gate strcpy(password, pass); 4217c478bd9Sstevel@tonic-gate encrypted_password = crypt(password, login_password); 4227c478bd9Sstevel@tonic-gate if (strcmp(encrypted_password, login_password) != 0) { 4237c478bd9Sstevel@tonic-gate (void) fprintf(stderr, 4247c478bd9Sstevel@tonic-gate "%s: ERROR, invalid password.\n", 4257c478bd9Sstevel@tonic-gate program_name); 4267c478bd9Sstevel@tonic-gate return (0); 4277c478bd9Sstevel@tonic-gate } 4287c478bd9Sstevel@tonic-gate } 4297c478bd9Sstevel@tonic-gate } else { 4307c478bd9Sstevel@tonic-gate /* 4317c478bd9Sstevel@tonic-gate * "-h remotehost" was specified on the command line 4327c478bd9Sstevel@tonic-gate * 4337c478bd9Sstevel@tonic-gate * Since we cannot verify the root password of the remote 4347c478bd9Sstevel@tonic-gate * host we have to trust what the user inputs. We can, 4357c478bd9Sstevel@tonic-gate * however, reduce the possibility of an error by prompting 4367c478bd9Sstevel@tonic-gate * the user to enter the target host's password twice and 4377c478bd9Sstevel@tonic-gate * comparing those two. We can also authenticate the 4387c478bd9Sstevel@tonic-gate * user to be root by checking the real uid. 4397c478bd9Sstevel@tonic-gate */ 4407c478bd9Sstevel@tonic-gate 4417c478bd9Sstevel@tonic-gate if (getuid() != 0) { 4427c478bd9Sstevel@tonic-gate (void) fprintf(stderr, "Must be superuser to run %s\n", 4437c478bd9Sstevel@tonic-gate program_name); 4447c478bd9Sstevel@tonic-gate return (0); 4457c478bd9Sstevel@tonic-gate } 4467c478bd9Sstevel@tonic-gate 4477c478bd9Sstevel@tonic-gate (void) sprintf(prompt, 4487c478bd9Sstevel@tonic-gate "Enter %s's root login password:", 4497c478bd9Sstevel@tonic-gate target_host); 4507c478bd9Sstevel@tonic-gate pass = getpass(prompt); 4517c478bd9Sstevel@tonic-gate if (!pass) { 4527c478bd9Sstevel@tonic-gate (void) fprintf(stderr, 4537c478bd9Sstevel@tonic-gate "%s: getpass failed.\n", 4547c478bd9Sstevel@tonic-gate program_name); 4557c478bd9Sstevel@tonic-gate return (0); 4567c478bd9Sstevel@tonic-gate } 4577c478bd9Sstevel@tonic-gate if (!*pass) { 4587c478bd9Sstevel@tonic-gate (void) fprintf(stderr, 4597c478bd9Sstevel@tonic-gate "%s: Invalid root password.\n", 4607c478bd9Sstevel@tonic-gate program_name); 4617c478bd9Sstevel@tonic-gate return (0); 4627c478bd9Sstevel@tonic-gate } 4637c478bd9Sstevel@tonic-gate strcpy(password, pass); 4647c478bd9Sstevel@tonic-gate 4657c478bd9Sstevel@tonic-gate /* 4667c478bd9Sstevel@tonic-gate * Now re-enter the password and compare it to the 4677c478bd9Sstevel@tonic-gate * one just read. 4687c478bd9Sstevel@tonic-gate */ 4697c478bd9Sstevel@tonic-gate (void) sprintf(prompt, 4707c478bd9Sstevel@tonic-gate "Please confirm %s's root login password:", 4717c478bd9Sstevel@tonic-gate target_host); 4727c478bd9Sstevel@tonic-gate pass = getpass(prompt); 4737c478bd9Sstevel@tonic-gate if (!pass) { 4747c478bd9Sstevel@tonic-gate (void) fprintf(stderr, 4757c478bd9Sstevel@tonic-gate "%s: getpass failed.\n", 4767c478bd9Sstevel@tonic-gate program_name); 4777c478bd9Sstevel@tonic-gate return (0); 4787c478bd9Sstevel@tonic-gate } 4797c478bd9Sstevel@tonic-gate if (!*pass) { 4807c478bd9Sstevel@tonic-gate (void) fprintf(stderr, 4817c478bd9Sstevel@tonic-gate "%s: Invalid root password.\n", 4827c478bd9Sstevel@tonic-gate program_name); 4837c478bd9Sstevel@tonic-gate return (0); 4847c478bd9Sstevel@tonic-gate } 4857c478bd9Sstevel@tonic-gate if (strcmp(pass, password) != 0) { 4867c478bd9Sstevel@tonic-gate (void) fprintf(stderr, 4877c478bd9Sstevel@tonic-gate "%s: Password Incorrect.\n", 4887c478bd9Sstevel@tonic-gate program_name); 4897c478bd9Sstevel@tonic-gate return (0); 4907c478bd9Sstevel@tonic-gate } 4917c478bd9Sstevel@tonic-gate } 4927c478bd9Sstevel@tonic-gate 4937c478bd9Sstevel@tonic-gate return (password); 4947c478bd9Sstevel@tonic-gate } 495