2 * Copyright 2000, International Business Machines Corporation and others.
5 * This software has been released under the terms of the IBM Public
6 * License. For details, see the LICENSE file in the top-level source
7 * directory or online at http://www.openafs.org/dl/license10.html
11 * Implementation of basic procedures for the AFS user account
16 * --------------------- Required definitions ---------------------
18 #include <afsconfig.h>
19 #include <afs/param.h>
23 #include "uss_kauth.h" /*Module interface*/
24 #include "uss_common.h" /*Common defs & operations*/
36 #include <afs/com_err.h>
37 #include <afs/kautils.h> /*MAXKTCREALMLEN*/
38 #include <afs/kaport.h> /* pack_long */
42 #define uss_kauth_MAX_SIZE 2048
47 * ---------------------- Exported variables ----------------------
49 struct ubik_client *uconn_kauthP; /*Ubik connections
53 * ------------------------ Private globals -----------------------
55 static int initDone = 0; /*Module initialized?*/
56 static char CreatorInstance[MAXKTCNAMELEN]; /*Instance string*/
57 static char UserPrincipal[MAXKTCNAMELEN]; /*Parsed user principal*/
58 static char UserInstance[MAXKTCNAMELEN]; /*Parsed user instance*/
59 static char UserCell[MAXKTCREALMLEN]; /*Parsed user cell*/
62 /*-----------------------------------------------------------------------
63 * EXPORTED uss_kauth_InitAccountCreator
66 * The command line must have been parsed.
70 *-----------------------------------------------------------------------*/
72 afs_int32 uss_kauth_InitAccountCreator()
74 { /*uss_kauth_InitAccountCreator*/
81 * Set up the identity of the principal performing the account
82 * creation (uss_AccountCreator). It's either the administrator
83 * name provided at the call or the identity of the caller as
84 * gleaned from the password info.
86 if (uss_Administrator[0] != '\0') {
87 name = uss_Administrator;
89 else { /* Administrator name not passed in */
90 pw = getpwuid(getuid());
93 "%s: Can't figure out your name from your user id.\n",
100 /* Break the *name into principal and instance */
101 dotPosition = strcspn(name, ".");
102 if (dotPosition >= MAXKTCNAMELEN) {
103 fprintf(stderr, "Admin principal name too long.\n");
106 strncpy(uss_AccountCreator, name, dotPosition);
107 uss_AccountCreator[dotPosition] = '\0';
110 if (name[0] == '.') {
112 if (strlen(name) >= MAXKTCNAMELEN) {
113 fprintf(stderr, "Admin instance name too long.\n");
116 strcpy(CreatorInstance, name);
119 CreatorInstance[0] = '\0';
122 #ifdef USS_KAUTH_DB_INSTANCE
124 "%s: Starting CreatorInstance is '%s', %d bytes\n",
125 uss_whoami, CreatorInstance, strlen(CreatorInstance));
126 #endif /* USS_KAUTH_DB_INSTANCE */
131 /*-----------------------------------------------------------------------
132 * static InitThisModule
135 * Set up this module, namely set up all the client state for
136 * dealing with the Volume Location Server(s), including
137 * network connections.
140 * a_noAuthFlag : Do we need authentication?
141 * a_confDir : Configuration directory to use.
142 * a_cellName : Cell we want to talk to.
145 * 0 if everything went fine, or
146 * lower-level error code otherwise.
149 * This routine will only be called once.
153 *------------------------------------------------------------------------*/
156 static char *getpipepass() {
157 static char gpbuf[BUFSIZ];
158 /* read a password from stdin, stop on \n or eof */
160 memset(gpbuf, 0, sizeof(gpbuf));
161 for(i=0; i<(sizeof(gpbuf)-1); i++) {
163 if (tc == '\n' || tc == EOF) break;
170 afs_int32 InitThisModule()
174 static char rn[] = "uss_kauth:InitThisModule";
175 register afs_int32 code;
176 char *name, prompt[2*MAXKTCNAMELEN+20];
177 char *reasonString, longPassBuff[1024], shortPassBuff[9];
178 struct ktc_encryptionKey key;
179 struct ktc_token token, tok;
180 struct ktc_principal Name;
183 * Only call this routine once.
190 * Pull out the caller's administrator token if they have one.
192 code = ka_GetAdminToken(0, 0, uss_Cell, 0, 10*60*60, &token, 0/*new*/);
195 strncpy(longPassBuff, getpipepass(), sizeof(longPassBuff));
198 * Nope, no admin tokens available. Get the key based on the
199 * full password and try again.
201 sprintf(prompt, "Password for '%s", uss_AccountCreator);
202 if (CreatorInstance[0])
203 sprintf(prompt+strlen(prompt), ".%s", CreatorInstance);
204 strcat(prompt, "': ");
206 ka_UserReadPassword(prompt, /*Prompt to use*/
207 longPassBuff, /*Long pwd buffer*/
208 sizeof(longPassBuff), /*Size of above*/
211 com_err(uss_whoami, code, "while getting password ");
213 printf("%s: Error code from ka_UserReadPassword(): %d\n",
215 #endif /* USS_KAUTH_DB */
219 ka_StringToKey(longPassBuff, uss_Cell, &key);
220 code = ka_GetAdminToken(uss_AccountCreator,
228 if ((code == KABADREQUEST) && (strlen(longPassBuff) > 8)) {
230 * The key we provided just doesn't work, yet we
231 * suspect that since the password is greater than 8
232 * chars, it might be the case that we really need
233 * to truncate the password to generate the appropriate
236 com_err(uss_whoami, code,
237 "while getting administrator token (trying shortened password next...)");
239 printf("%s: Error code from ka_GetAdminToken: %d\n",
241 #endif /* USS_KAUTH_DB */
242 strncpy(shortPassBuff, longPassBuff, 8);
243 shortPassBuff[8] = 0;
244 ka_StringToKey(shortPassBuff, uss_Cell, &key);
245 code = ka_GetAdminToken(uss_AccountCreator,
253 com_err(uss_whoami, code,
254 "while getting administrator token (possibly wrong password, or not an administrative account)");
256 printf("%s: Error code from ka_GetAdminToken: %d\n",
258 #endif /* USS_KAUTH_DB */
263 * The silly administrator has a long password! Tell
264 * him or her off in a polite way.
266 printf("%s: Shortened password accepted by the Authentication Server\n", uss_whoami);
268 } /*Try a shorter password*/
271 * We failed to get an admin token, but the password is
272 * of a reasonable length, so we're just hosed.
274 com_err(uss_whoami, code,
275 "while getting administrator token (possibly wrong password, or not an administrative account)");
277 printf("%s: Error code from ka_GetAdminToken: %d\n",
279 #endif /* USS_KAUTH_DB */
281 } /*Even the shorter password didn't work*/
282 } /*Key from given password didn't work*/
283 } /*First attempt to get admin token failed*/
286 * At this point, we have acquired an administrator token. Let's
287 * proceed to set up a connection to the AuthServer.
289 #ifdef USS_KAUTH_DB_INSTANCE
291 "%s: CreatorInstance after ka_GetAdminToken(): '%s', %d bytes\n",
292 rn, CreatorInstance, strlen(CreatorInstance));
293 #endif /* USS_KAUTH_DB_INSTANCE */
296 * Set up the connection to the AuthServer read/write site.
298 code = ka_AuthServerConn(uss_Cell, KA_MAINTENANCE_SERVICE,
299 &token, &uconn_kauthP);
301 com_err(uss_whoami, code,
302 "while establishing Authentication Server connection");
304 printf("%s: Error code from ka_AuthServerConn: %d\n",
306 #endif /* USS_KAUTH_DB */
310 if (uss_Administrator[0]) {
312 * We must check to see if we have local tokens for admin since he'll may do
313 * various pioctl or calls to protection server that require tokens. Remember
314 * to remove this tokens at the end of the program...
316 strcpy (Name.name, "afs");
317 Name.instance[0] = '\0';
318 strncpy (Name.cell, uss_Cell, sizeof(Name.cell));
319 if (code = ktc_GetToken (&Name, &token, sizeof(struct ktc_token), &tok)) {
320 code = ka_UserAuthenticateLife (0, uss_AccountCreator, CreatorInstance,
321 uss_Cell,longPassBuff,10*60*60,&reasonString);
328 * Declare our success.
336 /*-----------------------------------------------------------------------
337 * EXPORTED uss_kauth_AddUser
340 * The uconn_kauthP variable may already be set to an AuthServer
345 *------------------------------------------------------------------------*/
347 afs_int32 uss_kauth_AddUser(a_user, a_passwd)
351 { /*uss_kauth_AddUser*/
353 static char rn[] = "uss_kauth_AddUser"; /*Routine name*/
354 struct ktc_encryptionKey key;
357 if (uss_SkipKaserver) {
359 * Don't talk to the kaserver; assume calls succeded and simply return.
360 * Amasingly people want to update it (most likely kerberos) themselves...
363 printf("[Skip Kaserver option - Adding of user %s in Authentication DB not done]\n",
370 * Make sure the module has been initialized before we start trying
371 * to talk to AuthServers.
374 code = InitThisModule();
380 * Given the (unencrypted) password and cell, generate a key to
381 * pass to the AuthServer.
383 ka_StringToKey(a_passwd, uss_Cell, &key);
387 fprintf(stderr, "Adding user '%s' to the Authentication DB\n",
390 #ifdef USS_KAUTH_DB_INSTANCE
392 "%s: KAM_CreateUser: user='%s', CreatorInstance='%s', %d bytes\n",
393 rn, a_user, CreatorInstance, strlen(CreatorInstance));
394 #endif /* USS_KAUTH_DB_INSTANCE */
395 code = ubik_Call(KAM_CreateUser,
399 UserInstance, /*set by CheckUsername()*/
402 if (code == KAEXIST){
405 "%s: Warning: User '%s' already in Authentication DB\n",
409 com_err(uss_whoami, code,
410 "while adding user '%s' to Authentication DB",
413 printf("%s: Error code from KAM_CreateUser: %d\n",
415 #endif /* USS_KAUTH_DB */
418 } /*KAM_CreateUser failed*/
422 "\t[Dry run - user '%s' NOT added to Authentication DB]\n",
427 } /*uss_kauth_AddUser*/
430 /*-----------------------------------------------------------------------
431 * EXPORTED uss_kauth_DelUser
434 * The uconn_kauthP variable may already be set to an AuthServer
439 *------------------------------------------------------------------------*/
441 afs_int32 uss_kauth_DelUser(a_user)
444 { /*uss_kauth_DelUser*/
446 static char rn[] = "uss_kauth_DelUser"; /*Routine name*/
447 register afs_int32 code; /*Return code*/
449 if (uss_SkipKaserver) {
451 * Don't talk to the kaserver; assume calls succeded and simply return.
452 * Amasingly people want to update it (most likely kerberos) themselves...
455 printf("[Skip Kaserver option - Deleting of user %s in Authentication DB not done]\n",
461 * Make sure the module has been initialized before we start trying
462 * to talk to AuthServers.
465 code = InitThisModule();
471 #ifdef USS_KAUTH_DB_INSTANCE
472 printf("%s: KAM_DeleteUser: user='%s', CreatorInstance='%s'\n",
473 uss_whoami, a_user, CreatorInstance);
474 #endif /* USS_KAUTH_DB_INSTANCE */
476 printf("Deleting user '%s' from Authentication DB\n",
478 code = ubik_Call(KAM_DeleteUser, /*Procedure to call*/
479 uconn_kauthP, /*Ubik client connection struct*/
481 a_user, /*User name to delete*/
482 UserInstance); /*set in CheckUserName()*/
484 if (code == KANOENT) {
486 printf("%s: No entry for user '%s' in Authentication DB\n",
491 com_err(uss_whoami, code,
492 "while deleting entry in Authentication DB\n");
494 printf("%s: Error code from KAM_DeleteUser: %d\n",
496 #endif /* USS_KAUTH_DB */
499 } /*KAM_DeleteUser failed*/
502 printf("\t[Dry run - user '%s' NOT deleted from Authentication DB]\n",
507 } /*uss_kauth_DelUser*/
510 /*-----------------------------------------------------------------------
511 * EXPORTED uss_kauth_CheckUserName
514 * The user name has already been parsed and placed into
519 *------------------------------------------------------------------------*/
521 afs_int32 uss_kauth_CheckUserName()
523 { /*uss_kauth_CheckUserName*/
525 static char rn[] = "uss_kauth_CheckUserName"; /*Routine name*/
526 register afs_int32 code; /*Return code*/
528 if (uss_SkipKaserver) {
530 * Don't talk to the kaserver; assume calls succeded and simply return.
531 * Amasingly people want to update it (most likely kerberos) themselves...
534 printf("[Skip Kaserver option - Checking of user name in Authentication DB not done]\n");
539 * Make sure the module has been initialized before we start trying
540 * to talk to AuthServers.
543 code = InitThisModule();
549 * Use the AuthServer's own routine to decide if the parsed user name
550 * is legal. Specifically, it can't have any weird characters or
551 * embedded instance or cell names.
553 code = ka_ParseLoginName(uss_User,
554 UserPrincipal, UserInstance, UserCell);
555 if (strlen(UserInstance) > 0) {
556 fprintf(stderr, "%s: User name can't have an instance string ('%s')\n",
557 uss_whoami, UserInstance);
560 if (strlen(UserCell) > 0) {
561 fprintf(stderr, "%s: User name can't have a cell string ('%s')\n",
562 uss_whoami, UserCell);
565 if (strchr(UserPrincipal, ':') != NULL) {
566 fprintf(stderr, "%s: User name '%s' can't have a colon\n",
567 uss_whoami, UserPrincipal);
570 if (strlen(UserPrincipal) > 8) {
572 "%s: User name '%s' must have 8 or fewer characters\n",
573 uss_whoami, UserPrincipal);
578 * The name's OK in my book. Replace the user name with the parsed
581 strcpy(uss_User, UserPrincipal);
584 } /*uss_kauth_CheckUserName*/
588 * EXPORTED uss_kauth_SetFields
591 * The uconn_kauthP variable may already be set to an AuthServer
598 afs_int32 uss_kauth_SetFields(username, expirestring, reuse, failures, lockout)
605 static char rn[] = "uss_kauth_SetFields";
607 char misc_auth_bytes[4];
611 afs_int32 lifetime = 0;
612 afs_int32 maxAssociates = -1;
613 afs_int32 was_spare = 0;
614 char instance = '\0';
616 int nfailures, locktime;
618 if (strlen (username) > uss_UserLen) {
620 "%s: * User field in add cmd too long (max is %d chars; truncated value is '%s')\n",
621 uss_whoami, uss_UserLen, uss_User);
625 strcpy (uss_User, username);
626 code = uss_kauth_CheckUserName();
630 /* no point in doing this any sooner than necessary */
631 for (i=0;i<4;misc_auth_bytes[i++] = 0);
633 pwexpiry = atoi(expirestring);
634 if (pwexpiry <0 || pwexpiry >254) {
635 fprintf(stderr,"Password lifetime range must be [0..254] days.\n");
636 fprintf(stderr,"Zero represents an unlimited lifetime.\n");
637 fprintf(stderr,"Continuing with default lifetime == 0 for user %s.\n",
641 misc_auth_bytes[0] = pwexpiry+1;
644 if (!strcmp(reuse, "reuse")) {
645 misc_auth_bytes[1] = KA_REUSEPW;
647 else if (!strcmp(reuse, "noreuse")) {
648 misc_auth_bytes[1] = KA_NOREUSEPW;
651 misc_auth_bytes[1] = KA_REUSEPW;
653 "must specify \"reuse\" or \"noreuse\": \"reuse\" assumed\n");
656 nfailures = atoi(failures);
657 if (nfailures <0 || nfailures >254) {
658 fprintf(stderr,"Failure limit must be in [0..254].\n");
659 fprintf(stderr,"Zero represents unlimited login attempts.\n");
660 fprintf(stderr,"Continuing with limit == 254 for user %s.\n",
662 misc_auth_bytes[2] = 255;
665 misc_auth_bytes[2] = nfailures+1;
667 locktime = ktime_Str2int32(lockout);
668 if (locktime < 0 || locktime > 36*60 ) {
669 fprintf(stderr,"Lockout times must be either minutes or hh:mm.\n");
670 fprintf(stderr,"Lockout times must be less than 36 hours.\n");
671 fprintf(stderr,"Continuing with lock time == forever for user %s.\n",
675 locktime = (locktime * 60) >> 9;
676 misc_auth_bytes[3] = locktime +1;
679 if (uss_SkipKaserver) {
681 printf("[Skipping Kaserver as requested]\n");
686 * Make sure the module has been initialized before we start trying
687 * to talk to AuthServers.
690 code = InitThisModule();
697 fprintf(stderr, "Setting options for '%s' in database.\n",
700 was_spare = pack_long(misc_auth_bytes);
702 if (was_spare || flags || expiration ||
703 lifetime || (maxAssociates >= 0)) {
706 expiration = uss_Expires;
707 code = ubik_Call( KAM_SetFields, uconn_kauthP, 0, username, &instance,
708 flags, expiration, lifetime, maxAssociates,
709 was_spare, /* spare */ 0);
711 else fprintf (stderr,
712 "Must specify one of the optional parameters. Continuing...\n");
715 com_err (uss_whoami, code,
716 "calling KAM_SetFields for %s.%s", username, instance);
723 "\t[Dry run - user '%s' NOT changed.]\n",
728 } /*uss_kauth_SetFields */