Makefile.in (build_pwfile): Add rule to build the build_pwfile program

kadm_server.c (kadm_ser_cpw): Put the call to the kadm_approve_pw in the common code, so it's executed even if KADM5 is defined. Add appropriate syslogs to the change password processing. kadm_funcs.c (pwstring;): If NDBM_PW_CHECK is defined, then do the NDBM-based dictionary check. Build kadmind4 using the make option PW_CHECK=-DNDBM_PW_CHECK if this feature is desired. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@10621 dc483132-0cff-0310-8789-dd5450dbe970
author: Theodore Tso <tytso@mit.edu> 1998-07-03 22:34:54 +0000
committer: Theodore Tso <tytso@mit.edu> 1998-07-03 22:34:54 +0000
commit: df1bc2c9c34765cb8eeb75c704d7ce0294f4743b (patch)
tree: 53565355572076bb29a3f17dcc1083d862cb2297 /src/kadmin/v4server
parent: e7fe8eaef32539fc176888413cdcf345952b9efb (diff)
download: krb5-df1bc2c9c34765cb8eeb75c704d7ce0294f4743b.zip
krb5-df1bc2c9c34765cb8eeb75c704d7ce0294f4743b.tar.gz
krb5-df1bc2c9c34765cb8eeb75c704d7ce0294f4743b.tar.bz2
5 files changed, 200 insertions, 50 deletions
diff --git a/src/kadmin/v4server/ChangeLog b/src/kadmin/v4server/ChangeLog
index 5ced9eb..c8846ff 100644
--- a/src/kadmin/v4server/ChangeLog
+++ b/src/kadmin/v4server/ChangeLog
@@ -1,3 +1,18 @@
+Fri Jul  3 18:17:48 1998  Theodore Y. Ts'o  <tytso@mit.edu>
+
+	* Makefile.in (build_pwfile): Add rule to build the build_pwfile
+		program.   
+
+	* kadm_server.c (kadm_ser_cpw): Put the call to the
+		kadm_approve_pw in the common code, so it's executed even
+		if KADM5 is defined.  Add appropriate syslogs to the
+		change password processing.
+
+	* kadm_funcs.c (pwstring;): If NDBM_PW_CHECK is defined, then do
+		the NDBM-based dictionary check.   Build kadmind4 using
+		the make option PW_CHECK=-DNDBM_PW_CHECK if this feature
+		is desired.
+
 1998-05-08  Theodore Ts'o  <tytso@rsts-11.mit.edu>
 
 	* kadm_server.c (krb_log): Print the year using 4 digit to avoid
diff --git a/src/kadmin/v4server/Makefile.in b/src/kadmin/v4server/Makefile.in
index 19b7ee8..726b91a 100644
--- a/src/kadmin/v4server/Makefile.in
+++ b/src/kadmin/v4server/Makefile.in
@@ -1,6 +1,6 @@
 thisconfigdir=./..
 BUILDTOP=$(REL)$(U)$(S)$(U)
-CFLAGS = $(CCOPTS) $(DEFS) $(LOCALINCLUDE) \
+CFLAGS = $(CCOPTS) $(DEFS) $(LOCALINCLUDE) $(PW_CHECK) \
 	-DKADM5 -DNEED_SOCKETS @HESIOD_DEFS@
 PROG_LIBPATH=-L$(TOPLIBD) $(KRB4_LIBPATH)
 PROG_RPATH=$(KRB5_LIBDIR)
@@ -21,11 +21,16 @@ kadm_err.c kadm_err.h: kadm_err.et
 $(OBJS): kadm_err.h
 
 $(PROG): $(OBJS) $(KADMCLNT_DEPLIBS) $(DB_DEPLIB) $(KRB4COMPAT_DEPLIBS)
-	$(CC_LINK) -o $(PROG) $(OBJS) $(KADMCLNT_LIBS) $(DB_LIB) $(KRB4COMPAT_LIBS) $(HESIOD_LIBS)
+	$(CC_LINK) -o $(PROG) $(OBJS) $(KADMCLNT_LIBS) $(DB_LIB) \
+		$(KRB4COMPAT_LIBS) $(HESIOD_LIBS)
+
+build_pwfile: build_pwfile.o $(DB_DEPLIB) $(KRB4COMPAT_DEPLIBS)
+	$(CC_LINK) -o build_pwfile build_pwfile.o $(DB_LIB) \
+		$(KRB4COMPAT_LIBS) $(HESIOD_LIBS)
 
 install::
 	$(INSTALL_PROGRAM) $(PROG) ${DESTDIR}$(ADMIN_BINDIR)/$(PROG)
 
 clean::
-	$(RM) $(PROG) $(OBJS)
+	$(RM) $(PROG) $(OBJS) build_pwfile build_pwfile.o
 	$(RM) kadm_err.h kadm_err.c
diff --git a/src/kadmin/v4server/build_pwfile.c b/src/kadmin/v4server/build_pwfile.c
new file mode 100644
index 0000000..9cede78
--- /dev/null
+++ b/src/kadmin/v4server/build_pwfile.c
@@ -0,0 +1,119 @@
+#define NDBM
+/*
+ * build_pwfile.c  --- build a table of bad passwords, keyed by their
+ * 	des equivalents.
+ *
+ * Written by Theodore Ts'o
+ *
+ * Copyright 1988 by the Massachusetts Institute of Technology.
+ *
+ * For copying and distribution information, please see the file
+ * <mit-copyright.h>.
+ */
+
+#ifndef	lint
+static char rcsid_build_pwfile_c[] =
+"$Id$";
+#endif	lint
+
+#include <mit-copyright.h>
+#include <stdio.h>
+#include <sys/types.h>
+#include <sys/param.h>
+#include <sys/file.h>
+
+#ifdef NDBM
+#include <ndbm.h>
+#else /*NDBM*/
+#include <dbm.h>
+#endif /*NDBM*/
+
+#include <kadm.h>
+#include <kadm_err.h>
+#include <krb_db.h>
+#include "kadm_server.h"
+
+/* Macros to convert ndbm names to dbm names.
+ * Note that dbm_nextkey() cannot be simply converted using a macro, since
+ * it is invoked giving the database, and nextkey() needs the previous key.
+ *
+ * Instead, all routines call "dbm_next" instead.
+ */
+#ifndef NDBM
+typedef char DBM;
+#define dbm_open(file, flags, mode) ((dbminit(file) == 0)?"":((char *)0))
+#define dbm_fetch(db, key) fetch(key)
+#define dbm_store(db, key, content, flag) store(key, content)
+#define dbm_firstkey(db) firstkey()
+#define dbm_next(db,key) nextkey(key)
+#define dbm_close(db) dbmclose()
+#else
+#define dbm_next(db,key) dbm_nextkey(db)
+#endif
+
+main(argc, argv)
+	int	argc;
+	char	**argv;
+{
+	DBM	*pwfile;
+	FILE	*f;
+	datum	passwd, entry;
+	des_cblock	key;
+	char		word[1024];
+	int		len, filenum, i;
+	int		wptr;
+
+	if (argc != 2) {
+		fprintf(stderr,"%s: Usage: %s filename\n", argv[0], argv[0]);
+		exit(1);
+	}
+	if (!(f = fopen(argv[1], "r"))) {
+		perror(argv[1]);
+		exit(1);
+	}
+	pwfile = dbm_open(PW_CHECK_FILE, O_RDWR|O_CREAT, 0644);
+	if (!pwfile) {
+		fprintf(stderr, "Couldn't open %s for writing.\n",
+			PW_CHECK_FILE);
+		perror("dbm_open");
+		exit(1);
+	}
+	filenum = 0;
+	do {
+		filenum++;
+		passwd.dptr = (char *) &filenum;
+		passwd.dsize = sizeof(filenum);
+		entry.dptr = argv[1];
+		entry.dsize = strlen(argv[1])+1;
+	} while (dbm_store(pwfile, passwd, entry, DBM_INSERT));
+	i = 0;
+	while (!feof(f)) {
+		i++;
+		wptr = (filenum << 24) + i;
+		fgets(word, sizeof(word), f);
+		len = strlen(word);
+		if (len > 0 && word[len-1] == '\n')
+			word[--len] = '\0';
+#ifdef NOENCRYPTION
+		bzero((char *) key, sizeof(des_cblock));
+		key[0] = (unsigned char) 1;
+#else
+		(void) des_string_to_key(word, key);
+#endif
+		
+		passwd.dptr = (char *) key;
+		passwd.dsize = 8;
+		entry.dptr = (char *) &wptr;
+#ifdef notdef
+		entry.dsize = sizeof(wptr);
+#else
+		entry.dsize = 0;
+#endif
+		dbm_store(pwfile, passwd, entry, DBM_REPLACE);
+	}
+	dbm_close(pwfile);
+	exit(0);
+}
+
+
+
diff --git a/src/kadmin/v4server/kadm_funcs.c b/src/kadmin/v4server/kadm_funcs.c
index 87eb227..1d32073 100644
--- a/src/kadmin/v4server/kadm_funcs.c
+++ b/src/kadmin/v4server/kadm_funcs.c
@@ -19,7 +19,9 @@ the actual database manipulation code
 #include <stdio.h>
 #include <string.h>
 #include <sys/param.h>
-/* #include <ndbm.h> Gotten by kadmin_server.h */
+#ifdef NDBM_PW_CHECK
+#include <ndbm.h>
+#endif
 #include <ctype.h>
 #include <pwd.h>
 #include <sys/file.h>
@@ -746,7 +748,7 @@ des_cblock newpw;
 char *pwstring;
 {
 	int		retval;
-#ifdef notdef
+#if NDBM_PW_CHECK
 	static DBM *pwfile = NULL;
 	datum		passwd, entry;
 #endif
@@ -762,7 +764,7 @@ char *pwstring;
 		return(KADM_PW_MISMATCH);
 	if (pwstring && (strlen(pwstring) < 5))
 		return(KADM_INSECURE_PW);
-#ifdef notdef
+#if NDBM_PW_CHECK
 	if (!pwfile) {
 		pwfile = dbm_open(PW_CHECK_FILE, O_RDONLY, 0644);
 	}
diff --git a/src/kadmin/v4server/kadm_server.c b/src/kadmin/v4server/kadm_server.c
index e84e0b7..71cec13 100644
--- a/src/kadmin/v4server/kadm_server.c
+++ b/src/kadmin/v4server/kadm_server.c
@@ -24,6 +24,7 @@
 #else
 #include <time.h>
 #endif
+#include <syslog.h>
 
 #ifdef KADM5
 #include <com_err.h>
@@ -167,13 +168,55 @@ int *outlen;
     memcpy((char *)(((krb5_int32 *)newkey) + 1), (char *)&keyhigh, 4);
     memcpy((char *)newkey, (char *)&keylow, 4);
 
+    if (retval = kadm_approve_pw(ad->pname, ad->pinst, ad->prealm,
+			newkey, no_pword ? 0 : pword)) {
+	    if (retval == KADM_PW_MISMATCH) {
+		    /*
+		     * Very strange!!!  This means that the cleartext
+		     * password which was sent and the DES cblock
+		     * didn't match!
+		     */
+		    syslog(LOG_ERR, "'%s.%s@%s' sent a password string which didn't match with the DES key?!?",
+				   ad->pname, ad->pinst, ad->prealm);
+		    return(retval);
+	    }
+	    if (fascist_cpw) {
+		    *outlen = strlen(bad_pw_err)+strlen(pw_blurb)+1;
+		    if (*datout = (u_char *) malloc(*outlen)) {
+			    strcpy((char *) *datout, bad_pw_err);
+			    strcat((char *) *datout, pw_blurb);
+		    } else
+			    *outlen = 0;
+		    syslog(LOG_ERR, "'%s.%s@%s' tried to use an insecure password in changepw",
+				   ad->pname, ad->pinst, ad->prealm);
+#ifdef notdef
+		    /* For debugging only, probably a bad idea */
+		    if (!no_pword)
+			    (void) krb_log("The password was %s\n", pword);
+#endif
+		    return(retval);
+	    } else {
+		    *outlen = strlen(bad_pw_warn) + strlen(pw_blurb)+1;
+		    if (*datout = (u_char *) malloc(*outlen)) {
+			    strcpy((char *) *datout, bad_pw_warn);
+			    strcat((char *) *datout, pw_blurb);
+		    } else
+			    *outlen = 0;
+		    syslog(LOG_ERR, "'%s.%s@%s' used an insecure password in changepw",
+				   ad->pname, ad->pinst, ad->prealm);
+	    }
+    } else {
+	    *datout = 0;
+	    *outlen = 0;
+    }
+
 #ifdef KADM5
     /* we don't use the client-provided key itself */
     keylow = keyhigh = 0;
     memset(newkey, 0, sizeof(newkey));
 
     if (no_pword) {
-	 krb_log("Old-style change password request from '%s.%s@%s'!",
+      syslog(LOG_ERR, "Old-style change password request from '%s.%s@%s'!",
 		 ad->pname, ad->pinst, ad->prealm);
 	 *outlen = strlen(pw_required)+1;
 	 if (*datout = (u_char *) malloc(*outlen)) {
@@ -184,6 +227,9 @@ int *outlen;
 	 return KADM_INSECURE_PW;
     }
 		     
+    syslog(LOG_INFO, "'%s.%s@%s' wants to change its password",
+	   ad->pname, ad->pinst, ad->prealm);
+
     if (krb5_build_principal(kadm_context, &user_princ,
 			     strlen(ad->prealm),
 			     ad->prealm,
@@ -269,54 +315,17 @@ send_response:
 	      strcat(*datout, "\n");
 	 } else
 	      *outlen = 0;
+    } else {
+         syslog(LOG_INFO,
+		"'%s.%s@%s' password changed.", 
+		ad->pname, ad->pinst, ad->prealm);
     }
     if (retval == KADM_INSECURE_PW) {
-	 krb_log("'%s.%s@%s' tried to use an insecure password in changepw",
+          syslog(LOG_ERR, 
+		 "'%s.%s@%s' tried to use an insecure password in changepw",
 		 ad->pname, ad->pinst, ad->prealm);
     }
 #else /* KADM5 */
-    if (retval = kadm_approve_pw(ad->pname, ad->pinst, ad->prealm,
-			newkey, no_pword ? 0 : pword)) {
-	    if (retval == KADM_PW_MISMATCH) {
-		    /*
-		     * Very strange!!!  This means that the cleartext
-		     * password which was sent and the DES cblock
-		     * didn't match!
-		     */
-		    (void) krb_log("'%s.%s@%s' sent a password string which didn't match with the DES key?!?",
-				   ad->pname, ad->pinst, ad->prealm);
-		    return(retval);
-	    }
-	    if (fascist_cpw) {
-		    *outlen = strlen(bad_pw_err)+strlen(pw_blurb)+1;
-		    if (*datout = (u_char *) malloc(*outlen)) {
-			    strcpy((char *) *datout, bad_pw_err);
-			    strcat((char *) *datout, pw_blurb);
-		    } else
-			    *outlen = 0;
-		    (void) krb_log("'%s.%s@%s' tried to use an insecure password in changepw",
-				   ad->pname, ad->pinst, ad->prealm);
-#ifdef notdef
-		    /* For debugging only, probably a bad idea */
-		    if (!no_pword)
-			    (void) krb_log("The password was %s\n", pword);
-#endif
-		    return(retval);
-	    } else {
-		    *outlen = strlen(bad_pw_warn) + strlen(pw_blurb)+1;
-		    if (*datout = (u_char *) malloc(*outlen)) {
-			    strcpy((char *) *datout, bad_pw_warn);
-			    strcat((char *) *datout, pw_blurb);
-		    } else
-			    *outlen = 0;
-		    (void) krb_log("'%s.%s@%s' used an insecure password in changepw",
-				   ad->pname, ad->pinst, ad->prealm);
-	    }
-    } else {
-	    *datout = 0;
-	    *outlen = 0;
-    }
-
     retval = kadm_change(ad->pname, ad->pinst, ad->prealm, newkey);
     keylow = keyhigh = 0;
     memset(newkey, 0, sizeof(newkey));
author	Theodore Tso <tytso@mit.edu>	1998-07-03 22:34:54 +0000
committer	Theodore Tso <tytso@mit.edu>	1998-07-03 22:34:54 +0000
commit	df1bc2c9c34765cb8eeb75c704d7ce0294f4743b (patch)
tree	53565355572076bb29a3f17dcc1083d862cb2297 /src/kadmin/v4server
parent	e7fe8eaef32539fc176888413cdcf345952b9efb (diff)
download	krb5-df1bc2c9c34765cb8eeb75c704d7ce0294f4743b.zip krb5-df1bc2c9c34765cb8eeb75c704d7ce0294f4743b.tar.gz krb5-df1bc2c9c34765cb8eeb75c704d7ce0294f4743b.tar.bz2