summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--lib/libskey/Makefile8
-rw-r--r--lib/libskey/mdx.h19
-rw-r--r--lib/libskey/pathnames.h5
-rw-r--r--lib/libskey/put.c2
-rw-r--r--lib/libskey/skey.159
-rw-r--r--lib/libskey/skey.access.547
-rw-r--r--lib/libskey/skey.h9
-rw-r--r--lib/libskey/skey_crypt.c3
-rw-r--r--lib/libskey/skeyaccess.c200
-rw-r--r--lib/libskey/skeylogin.c23
-rw-r--r--lib/libskey/skeysubr.c143
-rw-r--r--libexec/ftpd/Makefile4
-rw-r--r--libexec/ftpd/ftpcmd.y2
-rw-r--r--libexec/ftpd/skey-stuff.c3
-rw-r--r--usr.bin/key/Makefile18
-rw-r--r--usr.bin/key/skey.c5
-rw-r--r--usr.bin/keyinit/Makefile13
-rw-r--r--usr.bin/keyinit/skeyinit.c11
-rw-r--r--usr.bin/login/Makefile15
-rw-r--r--usr.bin/login/login.c8
-rw-r--r--usr.bin/su/Makefile8
-rw-r--r--usr.bin/su/su.c8
22 files changed, 369 insertions, 244 deletions
diff --git a/lib/libskey/Makefile b/lib/libskey/Makefile
index f31f725da401..0630c5698b5e 100644
--- a/lib/libskey/Makefile
+++ b/lib/libskey/Makefile
@@ -1,14 +1,14 @@
# @(#)Makefile 5.4 (Berkeley) 5/7/91
LIB= skey
-SRCS= skeyaccess.c md4.c put.c skey_crypt.c skeylogin.c skeysubr.c
+SRCS= skeyaccess.c put.c skey_crypt.c skey_getpass.c skeylogin.c skeysubr.c
+MAN1= skey.1
MAN5= skey.access.5
-CFLAGS+=-DMPU8086 -DPERMIT_CONSOLE -I${.CURDIR}
+CFLAGS+=-DPERMIT_CONSOLE -I${.CURDIR}
beforeinstall:
- -cd ${.CURDIR}; cmp -s skey.h ${DESTDIR}/usr/include/skey.h > \
- /dev/null 2>&1 || \
+ -cd ${.CURDIR}; cmp -s skey.h ${DESTDIR}/usr/include/skey.h || \
install -c -o ${BINOWN} -g ${BINGRP} -m 444 skey.h \
${DESTDIR}/usr/include
diff --git a/lib/libskey/mdx.h b/lib/libskey/mdx.h
new file mode 100644
index 000000000000..567d541c959c
--- /dev/null
+++ b/lib/libskey/mdx.h
@@ -0,0 +1,19 @@
+#ifdef MD5
+/* S/Key can use MD5 now, if defined... */
+#include <md5.h>
+
+#define MDXFinal MD5Final
+#define MDXInit MD5Init
+#define MDXUpdate MD5Update
+#define MDX_CTX MD5_CTX
+#else
+
+/* By default, use MD4 for compatibility */
+#include <md4.h>
+
+#define MDXFinal MD4Final
+#define MDXInit MD4Init
+#define MDXUpdate MD4Update
+#define MDX_CTX MD4_CTX
+
+#endif
diff --git a/lib/libskey/pathnames.h b/lib/libskey/pathnames.h
index 43631f5133c3..87c8a2356dfa 100644
--- a/lib/libskey/pathnames.h
+++ b/lib/libskey/pathnames.h
@@ -1,5 +1,6 @@
-/* $Id$ (FreeBSD) */
+/* $Id: pathnames.h,v 1.1 1994/05/27 07:50:08 pst Exp $ (FreeBSD) */
#include <paths.h>
-#define _PATH_SKEYACCESS "/etc/skey.access"
+#define _PATH_SKEYACCESS "/etc/skey.access"
+#define _PATH_SKEYFILE "/etc/skeykeys"
diff --git a/lib/libskey/put.c b/lib/libskey/put.c
index 0f62d22499c1..d533714fcb18 100644
--- a/lib/libskey/put.c
+++ b/lib/libskey/put.c
@@ -2,7 +2,7 @@
#include <string.h>
#include <assert.h>
#include <ctype.h>
-#include <skey.h>
+#include "skey.h"
static unsigned long extract __P((char *s,int start,int length));
static void standard __P((char *word));
diff --git a/lib/libskey/skey.1 b/lib/libskey/skey.1
new file mode 100644
index 000000000000..b4e0455aa298
--- /dev/null
+++ b/lib/libskey/skey.1
@@ -0,0 +1,59 @@
+.ll 6i
+.pl 10.5i
+.\" @(#)skey.1 1.1 10/28/93
+.\"
+.lt 6.0i
+.TH KEY 1 "28 October 1993"
+.AT 3
+.SH NAME
+S/key \- A procedure to use one time passwords for accessing computer systems.
+.SH DESCRIPTION
+.I S/key
+is a procedure for using one time password to authenticate access to
+computer systems. It uses 64 bits of information transformed by the
+MD4 algorithm. The user supplies the 64 bits in the form of 6 English
+words that are generated by a secure computer.
+Example use of the S/key program
+.I key
+.sp
+ Usage example:
+.sp 0
+ >key 99 th91334
+.sp 0
+ Enter password: <your secret password is entered here>
+.sp 0
+ OMEN US HORN OMIT BACK AHOY
+.sp 0
+ >
+.sp
+The programs that are part of the S/Key system are keyinit, key, and
+keyinfo. Keyinit is used to get your ID set up, key is
+used to get the one time password each time,
+keyinfo is used to extract information from the S/Key database.
+.sp
+When you run "keyinit" you inform the system of your
+secret password. Running "key" then generates the
+one-time passwords, and also requires your secret
+password. If however, you misspell your password
+while running "key", you will get a list of passwords
+that will not work, and no indication about the problem.
+.sp
+Password sequence numbers count backward from 99. If you
+don't know this, the syntax for "key" will be confusing.
+.sp
+You can enter the passwords using small letters, even
+though the "key" program gives them in caps.
+.sp
+Macintosh and a general purpose PC use
+are available.
+.sp
+Under FreeBSD, you can control, with /etc/skey.access, from which
+hosts and/or networks the use of S/Key passwords is obligated.
+.LP
+.SH SEE ALSO
+.BR keyinit(1),
+.BR key(1),
+.BR keyinfo(1)
+.BR skey.access(5)
+.SH AUTHOR
+Phil Karn, Neil M. Haller, John S. Walden, Scott Chasin
diff --git a/lib/libskey/skey.access.5 b/lib/libskey/skey.access.5
index e92b4a66c3b6..2e12ad11935b 100644
--- a/lib/libskey/skey.access.5
+++ b/lib/libskey/skey.access.5
@@ -2,10 +2,9 @@
.SH NAME
skey.access \- S/Key password control table
.SH DESCRIPTION
-The S/Key password control table (default
-.IR /etc/skey.access )
-is used by \fIlogin\fR-like programs to determine when UNIX passwords
-may be used to access the system.
+The S/Key password control table (\fI/etc/skey.access\fR) is used by
+\fIlogin\fR-like programs to determine when UNIX passwords may be used
+to access the system.
.IP \(bu
When the table does not exist, there are no password restrictions. The
user may enter the UNIX password or the S/Key one.
@@ -44,6 +43,7 @@ on it.
.SH CONDITIONS
.IP "hostname wzv.win.tue.nl"
True when the login comes from host wzv.win.tue.nl.
+See the WARNINGS section below.
.IP "internet 131.155.210.0 255.255.255.0"
True when the remote host has an internet address in network
131.155.210. The general form of a net/mask rule is:
@@ -58,6 +58,7 @@ and
.I mask
equals
.IR net.
+See the WARNINGS section below.
.IP "port ttya"
True when the login terminal is equal to
.IR /dev/ttya .
@@ -74,6 +75,44 @@ group.
For the sake of backwards compatibility, the
.I internet
keyword may be omitted from net/mask patterns.
+.SH WARNINGS
+Several rule types depend on host name or address information obtained
+through the network. What follows is a list of conceivable attacks to
+force the system to permit UNIX passwords.
+.IP "Host address spoofing (source routing)"
+An intruder configures a local interface to an address in a trusted
+network and connects to the victim using that source address. Given
+the wrong client address, the victim draws the wrong conclusion from
+rules based on host addresses or from rules based on host names derived
+from addresses.
+.sp
+Remedies: (1) do not permit UNIX passwords with network logins; (2)
+use network software that discards source routing information (e.g.
+a tcp wrapper).
+.PP
+Almost every network server must look up the client host name using the
+client network address. The next obvious attack therefore is:
+.IP "Host name spoofing (bad PTR record)"
+An intruder manipulates the name server system so that the client
+network address resolves to the name of a trusted host. Given the
+wrong host name, the victim draws the wrong conclusion from rules based
+on host names, or from rules based on addresses derived from host
+names.
+.sp
+Remedies: (1) do not permit UNIX passwords with network logins; (2) use
+network software that verifies that the hostname resolves to the client
+network address (e.g. a tcp wrapper).
+.PP
+Some applications, such as the UNIX login program, must look up the
+client network address using the client host name. In addition to the
+previous two attacks, this opens up yet another possibility:
+.IP "Host address spoofing (extra A record)"
+An intruder manipulates the name server system so that the client host
+name (also) resolves to a trusted address.
+.sp
+Remedies: (1) do not permit UNIX passwords with network logins; (2)
+the skeyaccess() routines ignore network addresses that appear to
+belong to someone else.
.SH DIAGNOSTICS
Syntax errors are reported to the syslogd. When an error is found
the rule is skipped.
diff --git a/lib/libskey/skey.h b/lib/libskey/skey.h
index e9ee453b586e..039da4e680af 100644
--- a/lib/libskey/skey.h
+++ b/lib/libskey/skey.h
@@ -12,8 +12,6 @@ struct skey {
char *seed;
char *val;
long recstart; /*needed so reread of buffer is efficient*/
-
-
};
/* Client-side structure for scanning data stream for challenge */
@@ -32,6 +30,11 @@ void rip __P((char *buf));
int skeychallenge __P((struct skey *mp,char *name, char *challenge));
int skeylookup __P((struct skey *mp,char *name));
int skeyverify __P((struct skey *mp,char *response));
-int skeyaccess __P((char *user, char *port, char *host));
+
+/* Simplified application programming interface. */
+#include <pwd.h>
+int skeyaccess __P((char *user, char *port, char *host, char *addr));
+char *skey_getpass __P((char *prompt, struct passwd *pwd, int pwok));
+char *skey_crypt __P((char *pp, char *salt, struct passwd *pwd, int pwok));
#endif /* _SKEY_H_ */
diff --git a/lib/libskey/skey_crypt.c b/lib/libskey/skey_crypt.c
index b61bef08c90b..ca1024f77418 100644
--- a/lib/libskey/skey_crypt.c
+++ b/lib/libskey/skey_crypt.c
@@ -3,7 +3,8 @@
#include <string.h>
#include <stdio.h>
#include <pwd.h>
-#include <skey.h>
+
+#include "skey.h"
/* skey_crypt - return encrypted UNIX passwd if s/key or regular password ok */
diff --git a/lib/libskey/skeyaccess.c b/lib/libskey/skeyaccess.c
index 67ed549dce36..3cd877fd896a 100644
--- a/lib/libskey/skeyaccess.c
+++ b/lib/libskey/skeyaccess.c
@@ -2,9 +2,14 @@
* Figure out if UNIX passwords are permitted for any combination of user
* name, group member, terminal port, host_name or network:
*
- * Programmatic interface: skeyaccess(char *user, char *port, char *host)
+ * Programmatic interface: skeyaccess(user, port, host, addr)
*
- * Specify a null character pointer where information is not available.
+ * All arguments are null-terminated strings. Specify a null character pointer
+ * where information is not available.
+ *
+ * When no address information is given this code performs the host (internet)
+ * address lookup itself. It rejects addresses that appear to belong to
+ * someone else.
*
* When compiled with -DPERMIT_CONSOLE always permits UNIX passwords with
* console logins, no matter what the configuration file says.
@@ -12,7 +17,9 @@
* To build a stand-alone test version, compile with -DTEST and run it off an
* skey.access file in the current directory:
*
- * Command-line interface: ./skeyaccess user port [host]
+ * Command-line interface: ./skeyaccess user port [host_or_ip_addr]
+ *
+ * Errors are reported via syslogd.
*
* Author: Wietse Venema, Eindhoven University of Technology.
*/
@@ -54,6 +61,8 @@ static int match_internet_addr();
static int match_group();
static int match_token();
static int is_internet_addr();
+static struct in_addr *convert_internet_addr();
+static struct in_addr *lookup_internet_addr();
#define MAX_ADDR 32
#define PERMIT 1
@@ -68,40 +77,53 @@ struct login_info {
/* skeyaccess - find out if UNIX passwords are permitted */
-int skeyaccess(user, port, host)
+int skeyaccess(user, port, host, addr)
char *user;
char *port;
char *host;
+char *addr;
{
- struct hostent *hp;
+ FILE *fp;
struct login_info login_info;
- struct in_addr internet_addr[MAX_ADDR + 1];
- char hostname_buf[MAXHOSTNAMELEN + 1];
- int i;
+ int result;
+ /*
+ * Assume no restriction on the use of UNIX passwords when the s/key
+ * acces table does not exist.
+ */
+ if ((fp = fopen(_PATH_SKEYACCESS, "r")) == 0) {
+#ifdef TEST
+ fprintf(stderr, "No file %s, thus no access control\n", _PATH_SKEYACCESS);
+#endif
+ return (PERMIT);
+ }
+
+ /*
+ * Bundle up the arguments in a structure so we won't have to drag around
+ * boring long argument lists.
+ *
+ * Look up the host address when only the name is given. We try to reject
+ * addresses that belong to someone else.
+ */
login_info.user = user;
login_info.port = port;
- login_info.host_name = 0;
- login_info.internet_addr = 0;
-
- if (host) {
- if (is_internet_addr(host)) { /* not DECnet */
- internet_addr[0].s_addr = inet_addr(host);
- internet_addr[1].s_addr = 0;
- login_info.internet_addr = internet_addr;
+
+ if (host != 0 && !is_internet_addr(host)) {
+ login_info.host_name = host;
+ } else {
+ login_info.host_name = 0;
+ }
+
+ if (addr != 0 && is_internet_addr(addr)) {
+ login_info.internet_addr = convert_internet_addr(addr);
+ } else if (host != 0) {
+ if (is_internet_addr(host)) {
+ login_info.internet_addr = convert_internet_addr(host);
} else {
- if ((hp = gethostbyname(host)) != 0 && hp->h_addrtype == AF_INET) {
- for (i = 0; i < MAX_ADDR && hp->h_addr_list[i]; i++)
- memcpy((char *) &internet_addr[i],
- hp->h_addr_list[i], hp->h_length);
- internet_addr[i].s_addr = 0;
- login_info.internet_addr = internet_addr;
- host = hp->h_name;
- }
- strncpy(hostname_buf, host, MAXHOSTNAMELEN);
- hostname_buf[MAXHOSTNAMELEN] = 0;
- login_info.host_name = hostname_buf;
+ login_info.internet_addr = lookup_internet_addr(host);
}
+ } else {
+ login_info.internet_addr = 0;
}
/*
@@ -115,20 +137,25 @@ char *host;
if (login_info.internet_addr == 0) {
printf("none\n");
} else {
+ int i;
+
for (i = 0; login_info.internet_addr[i].s_addr; i++)
- printf("%s%s", inet_ntoa(login_info.internet_addr[i]),
+ printf("%s%s", login_info.internet_addr[i].s_addr == -1 ?
+ "(see error log)" : inet_ntoa(login_info.internet_addr[i]),
login_info.internet_addr[i + 1].s_addr ? " " : "\n");
}
#endif
- return (_skeyaccess(&login_info));
+ result = _skeyaccess(fp, &login_info);
+ fclose(fp);
+ return (result);
}
/* _skeyaccess - find out if UNIX passwords are permitted */
-int _skeyaccess(login_info)
+int _skeyaccess(fp, login_info)
+FILE *fp;
struct login_info *login_info;
{
- FILE *fp;
char buf[BUFSIZ];
char *tok;
int match;
@@ -140,13 +167,6 @@ struct login_info *login_info;
#endif
/*
- * Assume no restriction on the use of UNIX passwords when the s/key
- * acces table does not exist.
- */
- if ((fp = fopen(_PATH_SKEYACCESS, "r")) == 0)
- return (PERMIT);
-
- /*
* Scan the s/key access table until we find an entry that matches. If no
* match is found, assume that UNIX passwords are disallowed.
*/
@@ -187,7 +207,6 @@ struct login_info *login_info;
}
}
}
- fclose(fp);
return (match ? permission : DENY);
}
@@ -200,7 +219,6 @@ struct login_info *login_info;
long pattern;
long mask;
struct in_addr *addrp;
- struct hostent *hp;
if (login_info->internet_addr == 0)
return (0);
@@ -212,26 +230,13 @@ struct login_info *login_info;
mask = inet_addr(tok);
/*
- * See if any of the addresses matches a pattern in the control file.
- * Report and skip the address if it does not belong to the remote host.
- * Assume localhost == localhost.domain.
+ * See if any of the addresses matches a pattern in the control file. We
+ * have already tried to drop addresses that belong to someone else.
*/
-#define NEQ(x,y) (strcasecmp((x),(y)) != 0)
-
- for (addrp = login_info->internet_addr; addrp->s_addr; addrp++) {
- if ((addrp->s_addr & mask) == pattern) {
- if (login_info->host_name != 0 &&
- ((hp = gethostbyaddr((char *) addrp, sizeof(*addrp), AF_INET)) == 0
- || (NEQ(login_info->host_name, hp->h_name)
- && NEQ(login_info->host_name, "localhost")))) {
- syslog(LOG_ERR, "address %s not registered for host %s",
- inet_ntoa(*addrp), login_info->host_name);
- continue;
- }
+ for (addrp = login_info->internet_addr; addrp->s_addr; addrp++)
+ if (addrp->s_addr != -1 && (addrp->s_addr & mask) == pattern)
return (1);
- }
- }
return (0);
}
@@ -365,18 +370,97 @@ char *str;
return (runs == 4);
}
+/* lookup_internet_addr - look up internet addresses with extreme prejudice */
+
+static struct in_addr *lookup_internet_addr(host)
+char *host;
+{
+ struct hostent *hp;
+ static struct in_addr list[MAX_ADDR + 1];
+ char buf[MAXHOSTNAMELEN + 1];
+ int length;
+ int i;
+
+ if ((hp = gethostbyname(host)) == 0 || hp->h_addrtype != AF_INET)
+ return (0);
+
+ /*
+ * Save a copy of the results before gethostbyaddr() clobbers them.
+ */
+
+ for (i = 0; i < MAX_ADDR && hp->h_addr_list[i]; i++)
+ memcpy((char *) &list[i],
+ hp->h_addr_list[i], hp->h_length);
+ list[i].s_addr = 0;
+
+ strncpy(buf, hp->h_name, MAXHOSTNAMELEN);
+ buf[MAXHOSTNAMELEN] = 0;
+ length = hp->h_length;
+
+ /*
+ * Wipe addresses that appear to belong to someone else. We will get
+ * false alarms when when the hostname comes from DNS, while its
+ * addresses are listed under different names in local databases.
+ */
+#define NEQ(x,y) (strcasecmp((x),(y)) != 0)
+#define NEQ3(x,y,n) (strncasecmp((x),(y), (n)) != 0)
+
+ while (--i >= 0) {
+ if ((hp = gethostbyaddr((char *) &list[i], length, AF_INET)) == 0) {
+ syslog(LOG_ERR, "address %s not registered for host %s",
+ inet_ntoa(list[i]), buf);
+ list[i].s_addr = -1;
+ }
+ if (NEQ(buf, hp->h_name) && NEQ3(buf, "localhost.", 10)) {
+ syslog(LOG_ERR, "address %s registered for host %s and %s",
+ inet_ntoa(list[i]), hp->h_name, buf);
+ list[i].s_addr = -1;
+ }
+ }
+ return (list);
+}
+
+/* convert_internet_addr - convert string to internet address */
+
+static struct in_addr *convert_internet_addr(string)
+char *string;
+{
+ static struct in_addr list[2];
+
+ list[0].s_addr = inet_addr(string);
+ list[1].s_addr = 0;
+ return (list);
+}
+
#ifdef TEST
main(argc, argv)
int argc;
char **argv;
{
+ struct hostent *hp;
+ char host[MAXHOSTNAMELEN + 1];
+ int verdict;
+ char *user;
+ char *port;
+
if (argc != 3 && argc != 4) {
fprintf(stderr, "usage: %s user port [host_or_ip_address]\n", argv[0]);
exit(0);
}
+ if (_PATH_SKEYACCESS[0] != '/')
+ printf("Warning: this program uses control file: %s\n", KEYACCESS);
openlog("login", LOG_PID, LOG_AUTH);
- printf("%s\n", skeyaccess(argv[1], argv[2], argv[3]) ? "YES" : "NO");
+
+ user = argv[1];
+ port = argv[2];
+ if (argv[3]) {
+ strncpy(host, (hp = gethostbyname(argv[3])) ?
+ hp->h_name : argv[3], MAXHOSTNAMELEN);
+ host[MAXHOSTNAMELEN] = 0;
+ }
+ verdict = skeyaccess(user, port, argv[3] ? host : (char *) 0, (char *) 0);
+ printf("UNIX passwords %spermitted\n", verdict ? "" : "NOT ");
return (0);
}
diff --git a/lib/libskey/skeylogin.c b/lib/libskey/skeylogin.c
index f2d41049e1d8..e15edb5b4f60 100644
--- a/lib/libskey/skeylogin.c
+++ b/lib/libskey/skeylogin.c
@@ -2,12 +2,10 @@
* of Bellcore.
*
* Mink is the former name of the S/KEY authentication system.
- * Many references for mink may still be found in this program. */
+ * Many references for mink may still be found in this program.
+ */
#include <sys/param.h>
-#ifdef QUOTA
-#include <sys/quota.h>
-#endif
#include <sys/stat.h>
#include <sys/time.h>
#include <sys/resource.h>
@@ -19,9 +17,9 @@
#include <sys/stat.h>
#include <time.h>
#include <errno.h>
-#include <skey.h>
-#define KEYFILE "/etc/skeykeys"
+#include "skey.h"
+#include "pathnames.h"
char *skipspace();
int skeylookup __P((struct skey *mp,char *name));
@@ -57,7 +55,8 @@ char *prompt;
return -1;
}
return -1; /* Can't happen */
-}
+}
+
/* Return a skey challenge string for user 'name'. If successful,
* fill in the caller's skey structure and return 0. If unsuccessful
* (e.g., if name is unknown) return -1.
@@ -104,13 +103,13 @@ char *name;
char *cp;
struct stat statbuf;
- /* See if the KEYFILE exists, and create it if not */
- if(stat(KEYFILE,&statbuf) == -1 && errno == ENOENT){
- mp->keyfile = fopen(KEYFILE,"w+");
- (void) chmod(KEYFILE, 0644);
+ /* See if the _PATH_SKEYFILE exists, and create it if not */
+ if(stat(_PATH_SKEYFILE,&statbuf) == -1 && errno == ENOENT){
+ mp->keyfile = fopen(_PATH_SKEYFILE,"w+");
+ (void) chmod(_PATH_SKEYFILE, 0644);
} else {
/* Otherwise open normally for update */
- mp->keyfile = fopen(KEYFILE,"r+");
+ mp->keyfile = fopen(_PATH_SKEYFILE,"r+");
}
if(mp->keyfile == NULL)
return -1;
diff --git a/lib/libskey/skeysubr.c b/lib/libskey/skeysubr.c
index b947c0164068..e144202a7655 100644
--- a/lib/libskey/skeysubr.c
+++ b/lib/libskey/skeysubr.c
@@ -4,19 +4,14 @@
#ifdef __MSDOS__
#include <dos.h>
#endif
-#ifdef unix /* Assume POSIX */
+#ifdef unix
#include <fcntl.h>
#include <termios.h>
+#include <signal.h>
#endif
-#include <skey.h>
-#include "md4.h"
-
-#ifndef LITTLE_ENDIAN
-#if (defined(__MSDOS__) || defined(MPU8086) || defined(MPU8080) \
- || defined(vax) || defined (MIPSEL))
-#define LITTLE_ENDIAN /* Low order bytes are first in memory */
-#endif /* Almost all other machines are big-endian */
-#endif
+
+#include "skey.h"
+#include "mdx.h"
/* Crunch a key:
* concatenate the seed and the password, run through MD4 and
@@ -24,17 +19,14 @@
*/
int
keycrunch(result,seed,passwd)
-char *result; /* 8-byte result */
-char *seed; /* Seed, any length */
-char *passwd; /* Password, any length */
+char *result; /* 8-byte result */
+char *seed; /* Seed, any length */
+char *passwd; /* Password, any length */
{
char *buf;
- MDstruct md;
+ MDX_CTX md;
+ u_long results[4];
unsigned int buflen;
-#ifndef LITTLE_ENDIAN
- int i;
- register long tmp;
-#endif
buflen = strlen(seed) + strlen(passwd);
if((buf = malloc(buflen+1)) == NULL)
@@ -42,35 +34,17 @@ char *passwd; /* Password, any length */
strcpy(buf,seed);
strcat(buf,passwd);
- /* Crunch the key through MD4 */
+ /* Crunch the key through MD[45] */
sevenbit(buf);
- MDbegin(&md);
- MDupdate(&md,(unsigned char *)buf,8*buflen);
-
+ MDXInit(&md);
+ MDXUpdate(&md,(unsigned char *)buf,buflen);
+ MDXFinal((unsigned char *)results,&md);
free(buf);
- /* Fold result from 128 to 64 bits */
- md.buffer[0] ^= md.buffer[2];
- md.buffer[1] ^= md.buffer[3];
+ results[0] ^= results[2];
+ results[1] ^= results[3];
-#ifdef LITTLE_ENDIAN
- /* Only works on byte-addressed little-endian machines!! */
- memcpy(result,(char *)md.buffer,8);
-#else
- /* Default (but slow) code that will convert to
- * little-endian byte ordering on any machine
- */
- for(i=0;i<2;i++){
- tmp = md.buffer[i];
- *result++ = tmp;
- tmp >>= 8;
- *result++ = tmp;
- tmp >>= 8;
- *result++ = tmp;
- tmp >>= 8;
- *result++ = tmp;
- }
-#endif
+ memcpy(result,(char *)results,8);
return 0;
}
@@ -80,44 +54,18 @@ void
f(x)
char *x;
{
- MDstruct md;
-#ifndef LITTLE_ENDIAN
- register long tmp;
-#endif
-
- MDbegin(&md);
- MDupdate(&md,(unsigned char *)x,64);
+ MDX_CTX md;
+ u_long results[4];
+ MDXInit(&md);
+ MDXUpdate(&md,(unsigned char *)x,8);
+ MDXFinal((unsigned char *)results,&md);
/* Fold 128 to 64 bits */
- md.buffer[0] ^= md.buffer[2];
- md.buffer[1] ^= md.buffer[3];
+ results[0] ^= results[2];
+ results[1] ^= results[3];
-#ifdef LITTLE_ENDIAN
/* Only works on byte-addressed little-endian machines!! */
- memcpy(x,(char *)md.buffer,8);
-
-#else
- /* Default (but slow) code that will convert to
- * little-endian byte ordering on any machine
- */
- tmp = md.buffer[0];
- *x++ = tmp;
- tmp >>= 8;
- *x++ = tmp;
- tmp >>= 8;
- *x++ = tmp;
- tmp >>= 8;
- *x++ = tmp;
-
- tmp = md.buffer[1];
- *x++ = tmp;
- tmp >>= 8;
- *x++ = tmp;
- tmp >>= 8;
- *x++ = tmp;
- tmp >>= 8;
- *x = tmp;
-#endif
+ memcpy(x,(char *)results,8);
}
/* Strip trailing cr/lf from a line of text */
@@ -152,16 +100,26 @@ int n;
return buf;
}
#else
+static struct termios saved_ttymode;
+
+static void interrupt()
+{
+ tcsetattr(0, TCSANOW, &saved_ttymode);
+ exit(1);
+}
+
char *
readpass(buf,n)
char *buf;
int n;
{
- struct termios saved_ttymode;
struct termios noecho_ttymode;
+ void (*oldsig)();
/* Save normal line editing modes */
tcgetattr(0, &saved_ttymode);
+ if ((oldsig = signal(SIGINT, SIG_IGN)) != SIG_IGN)
+ signal(SIGINT, interrupt);
/* Turn off echoing */
tcgetattr(0, &noecho_ttymode);
@@ -172,6 +130,8 @@ int n;
/* Restore previous tty modes */
tcsetattr(0, TCSANOW, &saved_ttymode);
+ if (oldsig != SIG_IGN)
+ signal(SIGINT, oldsig);
/*
after the secret key is taken from the keyboard, the line feed is
@@ -189,33 +149,6 @@ int n;
#endif
-/* removebackspaced over charaters from the string*/
-backspace(buf)
-char *buf;
-{
- char bs = 0x8;
- char *cp = buf;
- char *out = buf;
-
- while(*cp){
- if( *cp == bs ) {
- if(out == buf){
- cp++;
- continue;
- }
- else {
- cp++;
- out--;
- }
- }
- else {
- *out++ = *cp++;
- }
-
- }
- *out = '\0';
-
-}
sevenbit(s)
char *s;
{
diff --git a/libexec/ftpd/Makefile b/libexec/ftpd/Makefile
index 396deee0d729..e1e5be2b3658 100644
--- a/libexec/ftpd/Makefile
+++ b/libexec/ftpd/Makefile
@@ -6,8 +6,8 @@ SRCS= ftpd.c ftpcmd.c logwtmp.c popen.c skey-stuff.c
CFLAGS+=-DSETPROCTITLE -DSKEY
-LDADD= -lcrypt -lskey
-DPADD= ${LIBCRYPT} ${LIBSKEY}
+LDADD= -lcrypt -lskey -lmd
+DPADD= ${LIBCRYPT} ${LIBSKEY} ${LIBMD}
CLEANFILES+=ftpcmd.c y.tab.h
diff --git a/libexec/ftpd/ftpcmd.y b/libexec/ftpd/ftpcmd.y
index 6ec3d252545a..5c090e35fae7 100644
--- a/libexec/ftpd/ftpcmd.y
+++ b/libexec/ftpd/ftpcmd.y
@@ -951,7 +951,7 @@ yylex()
upper(cbuf);
p = lookup(cmdtab, cbuf);
cbuf[cpos] = c;
- if (p != 0) {
+ if (guest != 0 && p != 0) {
if (p->implemented == 0) {
nack(p->name);
longjmp(errcatch,0);
diff --git a/libexec/ftpd/skey-stuff.c b/libexec/ftpd/skey-stuff.c
index fdec650bcef0..5c34b9b7395d 100644
--- a/libexec/ftpd/skey-stuff.c
+++ b/libexec/ftpd/skey-stuff.c
@@ -18,6 +18,7 @@ int pwok;
/* Display s/key challenge where appropriate. */
if (pwd == 0 || skeychallenge(&skey, pwd->pw_name, buf) != 0)
- sprintf(buf, "Password required for %s.", name);
+ sprintf(buf, "%s required for %s.",
+ pwok ? "Password" : "S/Key password", name);
return (buf);
}
diff --git a/usr.bin/key/Makefile b/usr.bin/key/Makefile
index b8553abe3879..9612051552e7 100644
--- a/usr.bin/key/Makefile
+++ b/usr.bin/key/Makefile
@@ -1,21 +1,11 @@
-
# @(#)Makefile 5.6 (Berkeley) 3/5/91
#
PROG= key
-MAN1= key.1 skey.1
-CFLAGS+=-I${.CURDIR}/../../lib
-
-
-DPADD= /usr/bin/libskey.a
-LDADD= -lskey
-
-.if exists(/usr/lib/libcrypt.a)
-DPADD+= ${LIBCRYPT}
-LDADD+= -lcrypt
-.endif
-
SRCS= skey.c
+MAN1= key.1
-.include <bsd.prog.mk>
+DPADD= ${LIBSKEY} ${LIBMD}
+LDADD= -lskey -lmd
+.include <bsd.prog.mk>
diff --git a/usr.bin/key/skey.c b/usr.bin/key/skey.c
index d1bc239bed99..1e810e90a4f4 100644
--- a/usr.bin/key/skey.c
+++ b/usr.bin/key/skey.c
@@ -12,12 +12,13 @@
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
+
#ifdef __MSDOS__
#include <dos.h>
#else /* Assume BSD unix */
#include <fcntl.h>
#endif
-#include "libskey/md4.h"
+
#include <skey.h>
char *readpass();
@@ -119,10 +120,10 @@ char *argv[];
}
return 0;
}
+
void
usage(s)
char *s;
{
fprintf(stderr,"Usage: %s [-n count] <sequence #>[/] <key> \n",s);
}
-
diff --git a/usr.bin/keyinit/Makefile b/usr.bin/keyinit/Makefile
index a716f14cb3d9..a9ed54ee0eac 100644
--- a/usr.bin/keyinit/Makefile
+++ b/usr.bin/keyinit/Makefile
@@ -1,20 +1,13 @@
-
# @(#)Makefile 5.6 (Berkeley) 3/5/91
#
-
PROG= keyinit
MAN1= keyinit.1
-DPADD= /usr/bin/libskey.a
-LDADD= -lskey
-
-.if exists(/usr/lib/libcrypt.a)
-DPADD+= ${LIBCRYPT}
-LDADD+= -lcrypt
-.endif
-
SRCS= skeyinit.c
BINOWN= root
BINMODE=4555
+DPADD= ${LIBSKEY} ${LIBMD}
+LDADD= -lskey -lmd
+
.include <bsd.prog.mk>
diff --git a/usr.bin/keyinit/skeyinit.c b/usr.bin/keyinit/skeyinit.c
index 7c8e5d6f1c6d..5dfd1b19f12e 100644
--- a/usr.bin/keyinit/skeyinit.c
+++ b/usr.bin/keyinit/skeyinit.c
@@ -4,17 +4,15 @@
#include <stdio.h>
#include <string.h>
#include <pwd.h>
-#include <skey.h>
#include <time.h>
+#include <skey.h>
+
extern int optind;
extern char *optarg;
-char * readpass();
-
-int skeylookup __P((struct skey *mp,char *name));
-
#define NAMELEN 2
+
int
main(argc,argv)
int argc;
@@ -103,7 +101,7 @@ char *argv[];
printf("Reminder you need the 6 english words from the skey command.\n");
for(i=0;;i++){
if(i >= 2) exit(1);
- printf("Enter sequence count from 1 to 10000: ");
+ printf("Enter sequence count from 1 to 9999: ");
fgets(tmp,sizeof(tmp),stdin);
n = atoi(tmp);
if(n > 0 && n < 10000)
@@ -126,7 +124,6 @@ char *argv[];
printf("s/key %d %s\ns/key access password: ",n,seed);
fgets(tmp,sizeof(tmp),stdin);
rip(tmp);
- backspace(tmp);
if(tmp[0] == '?'){
printf("Enter 6 English words from secure S/Key calculation.\n");
continue;
diff --git a/usr.bin/login/Makefile b/usr.bin/login/Makefile
index bae657d9640e..21131d954da0 100644
--- a/usr.bin/login/Makefile
+++ b/usr.bin/login/Makefile
@@ -1,16 +1,18 @@
# From: @(#)Makefile 8.1 (Berkeley) 7/19/93
-# $Id$
+# $Id: Makefile,v 1.8 1994/09/30 13:26:15 csgr Exp $
PROG= login
MAN1= login.1
MAN5= login.access.5
-SRCS= login.c login_access.c login_skey.c login_fbtab.c
-DPADD= ${LIBUTIL} ${LIBSKEY}
-LDADD= -lutil -lcrypt -lskey
+SRCS= login.c login_access.c login_fbtab.c
+
CFLAGS+=-DLOGIN_ACCESS -DSKEY -DLOGALL
-.if exists(${DESTDIR}/usr/lib/libkrb.a) && (defined(MAKE_KERBEROS) \
- || defined(MAKE_EBONES))
+DPADD= ${LIBUTIL} ${LIBCRYPT} ${LIBSKEY} ${LIBMD}
+LDADD= -lutil -lcrypt -lskey -lmd
+
+.if exists(${DESTDIR}/usr/lib/libkrb.a) && \
+ (defined(MAKE_KERBEROS) || defined(MAKE_EBONES))
CFLAGS+=-DKERBEROS
SRCS+= klogin.c
DPADD+= ${LIBKRB} ${LIBDES}
@@ -22,4 +24,3 @@ BINMODE=4555
INSTALLFLAGS=-fschg
.include <bsd.prog.mk>
-
diff --git a/usr.bin/login/login.c b/usr.bin/login/login.c
index f240b1ba848f..a3b2683fc6b8 100644
--- a/usr.bin/login/login.c
+++ b/usr.bin/login/login.c
@@ -68,6 +68,10 @@ static char sccsid[] = "@(#)login.c 8.4 (Berkeley) 4/2/94";
#include <unistd.h>
#include <utmp.h>
+#ifdef SKEY
+#include <skey.h>
+#endif
+
#include "pathnames.h"
void badlogin __P((char *));
@@ -125,7 +129,6 @@ main(argc, argv)
char full_hostname[MAXHOSTNAMELEN];
#ifdef SKEY
int permit_passwd = 0;
- char *skey_getpass(), *skey_crypt();
#endif
(void)signal(SIGALRM, timedout);
@@ -259,7 +262,8 @@ main(argc, argv)
#ifdef SKEY
permit_passwd = skeyaccess(username, tty,
- hostname ? full_hostname : NULL);
+ hostname ? full_hostname : NULL,
+ NULL);
p = skey_getpass("Password:", pwd, permit_passwd);
ep = skey_crypt(p, salt, pwd, permit_passwd);
#else
diff --git a/usr.bin/su/Makefile b/usr.bin/su/Makefile
index c353734dd7e8..f9b61b1a9966 100644
--- a/usr.bin/su/Makefile
+++ b/usr.bin/su/Makefile
@@ -1,12 +1,12 @@
# @(#)Makefile 8.1 (Berkeley) 7/19/93
PROG= su
-LDADD= -lcrypt -lskey
-DPADD= ${LIBCRYPT} ${LIBSKEY}
-SRCS= su.c login_skey.c
+SRCS= su.c
+
CFLAGS+=-DSKEY
-.PATH: ${.CURDIR}/../login
+LDADD= -lcrypt -lskey -lmd
+DPADD= ${LIBCRYPT} ${LIBSKEY} ${LIBMD}
.if exists(${DESTDIR}/usr/lib/libkrb.a) && (defined(MAKE_KERBEROS) \
|| defined(MAKE_EBONES))
diff --git a/usr.bin/su/su.c b/usr.bin/su/su.c
index 1928d1ee4a22..244a6954c582 100644
--- a/usr.bin/su/su.c
+++ b/usr.bin/su/su.c
@@ -56,6 +56,10 @@ static char sccsid[] = "@(#)su.c 8.3 (Berkeley) 4/2/94";
#include <syslog.h>
#include <unistd.h>
+#ifdef SKEY
+#include <skey.h>
+#endif
+
#ifdef KERBEROS
#include <kerberosIV/des.h>
#include <kerberosIV/krb.h>
@@ -68,10 +72,6 @@ int use_kerberos = 1;
#define ARGSTR "-flm"
#endif
-#ifdef SKEY
-char *skey_crypt(), *skey_getpass();
-#endif
-
char *ontty __P((void));
int chshell __P((char *));