2 * Copyright 2000, International Business Machines Corporation and others.
5 * This software has been released under the terms of the IBM Public
6 * License. For details, see the LICENSE file in the top-level source
7 * directory or online at http://www.openafs.org/dl/license10.html
11 * Implementation of basic procedures for the AFS user account
16 * --------------------- Required definitions ---------------------
18 #include <afsconfig.h>
19 #include <afs/param.h>
22 #include "uss_kauth.h" /*Module interface */
23 #include "uss_common.h" /*Common defs & operations */
29 #include <afs/com_err.h>
30 #include <afs/kautils.h> /*MAXKTCREALMLEN*/
31 #include <afs/kaport.h> /* pack_long */
32 #include <afs/kauth.h>
33 #define uss_kauth_MAX_SIZE 2048
36 * ---------------------- Exported variables ----------------------
38 struct ubik_client *uconn_kauthP; /*Ubik connections
42 * ------------------------ Private globals -----------------------
44 static int initDone = 0; /*Module initialized? */
45 static char CreatorInstance[MAXKTCNAMELEN]; /*Instance string */
46 static char UserPrincipal[MAXKTCNAMELEN]; /*Parsed user principal */
47 static char UserInstance[MAXKTCNAMELEN]; /*Parsed user instance */
48 static char UserCell[MAXKTCREALMLEN]; /*Parsed user cell */
51 /*-----------------------------------------------------------------------
52 * EXPORTED uss_kauth_InitAccountCreator
55 * The command line must have been parsed.
59 *-----------------------------------------------------------------------*/
62 uss_kauth_InitAccountCreator(void)
63 { /*uss_kauth_InitAccountCreator */
70 * Set up the identity of the principal performing the account
71 * creation (uss_AccountCreator). It's either the administrator
72 * name provided at the call or the identity of the caller as
73 * gleaned from the password info.
75 if (uss_Administrator[0] != '\0') {
76 name = uss_Administrator;
77 } else { /* Administrator name not passed in */
78 pw = getpwuid(getuid());
81 "%s: Can't figure out your name from your user id.\n",
88 /* Break the *name into principal and instance */
89 dotPosition = strcspn(name, ".");
90 if (dotPosition >= MAXKTCNAMELEN) {
91 fprintf(stderr, "Admin principal name too long.\n");
94 strncpy(uss_AccountCreator, name, dotPosition);
95 uss_AccountCreator[dotPosition] = '\0';
100 if (strlen(name) >= MAXKTCNAMELEN) {
101 fprintf(stderr, "Admin instance name too long.\n");
104 strcpy(CreatorInstance, name);
106 CreatorInstance[0] = '\0';
109 #ifdef USS_KAUTH_DB_INSTANCE
110 fprintf(stderr, "%s: Starting CreatorInstance is '%s', %d bytes\n",
111 uss_whoami, CreatorInstance, strlen(CreatorInstance));
112 #endif /* USS_KAUTH_DB_INSTANCE */
117 /*-----------------------------------------------------------------------
118 * static InitThisModule
121 * Set up this module, namely set up all the client state for
122 * dealing with the Volume Location Server(s), including
123 * network connections.
126 * a_noAuthFlag : Do we need authentication?
127 * a_confDir : Configuration directory to use.
128 * a_cellName : Cell we want to talk to.
131 * 0 if everything went fine, or
132 * lower-level error code otherwise.
135 * This routine will only be called once.
139 *------------------------------------------------------------------------*/
145 static char gpbuf[BUFSIZ];
146 /* read a password from stdin, stop on \n or eof */
148 memset(gpbuf, 0, sizeof(gpbuf));
149 for (i = 0; i < (sizeof(gpbuf) - 1); i++) {
151 if (tc == '\n' || tc == EOF)
161 { /*InitThisModule */
163 static char rn[] = "uss_kauth:InitThisModule";
165 register afs_int32 code;
166 char prompt[2 * MAXKTCNAMELEN + 20];
167 char *reasonString, longPassBuff[1024], shortPassBuff[9];
168 struct ktc_encryptionKey key;
169 struct ktc_token token;
170 struct ktc_principal Name, tok;
173 * Only call this routine once.
180 * Pull out the caller's administrator token if they have one.
183 ka_GetAdminToken(0, 0, uss_Cell, 0, 10 * 60 * 60, &token,
187 strncpy(longPassBuff, getpipepass(), sizeof(longPassBuff));
190 * Nope, no admin tokens available. Get the key based on the
191 * full password and try again.
193 sprintf(prompt, "Password for '%s", uss_AccountCreator);
194 if (CreatorInstance[0])
195 sprintf(prompt + strlen(prompt), ".%s", CreatorInstance);
196 strcat(prompt, "': ");
197 code = ka_UserReadPassword(prompt, /*Prompt to use */
198 longPassBuff, /*Long pwd buffer */
199 sizeof(longPassBuff), /*Size of above */
202 afs_com_err(uss_whoami, code, "while getting password ");
204 printf("%s: Error code from ka_UserReadPassword(): %d\n", rn,
206 #endif /* USS_KAUTH_DB */
210 ka_StringToKey(longPassBuff, uss_Cell, &key);
212 ka_GetAdminToken(uss_AccountCreator, CreatorInstance, uss_Cell,
213 &key, 24 * 60 * 60, &token, 0 /*new */ );
215 if ((code == KABADREQUEST) && (strlen(longPassBuff) > 8)) {
217 * The key we provided just doesn't work, yet we
218 * suspect that since the password is greater than 8
219 * chars, it might be the case that we really need
220 * to truncate the password to generate the appropriate
223 afs_com_err(uss_whoami, code,
224 "while getting administrator token (trying shortened password next...)");
226 printf("%s: Error code from ka_GetAdminToken: %d\n", rn,
228 #endif /* USS_KAUTH_DB */
229 strncpy(shortPassBuff, longPassBuff, 8);
230 shortPassBuff[8] = 0;
231 ka_StringToKey(shortPassBuff, uss_Cell, &key);
233 ka_GetAdminToken(uss_AccountCreator, CreatorInstance,
234 uss_Cell, &key, 24 * 60 * 60, &token,
237 afs_com_err(uss_whoami, code,
238 "while getting administrator token (possibly wrong password, or not an administrative account)");
240 printf("%s: Error code from ka_GetAdminToken: %d\n", rn,
242 #endif /* USS_KAUTH_DB */
246 * The silly administrator has a long password! Tell
247 * him or her off in a polite way.
250 ("%s: Shortened password accepted by the Authentication Server\n",
253 } /*Try a shorter password */
256 * We failed to get an admin token, but the password is
257 * of a reasonable length, so we're just hosed.
259 afs_com_err(uss_whoami, code,
260 "while getting administrator token (possibly wrong password, or not an administrative account)");
262 printf("%s: Error code from ka_GetAdminToken: %d\n", rn,
264 #endif /* USS_KAUTH_DB */
266 } /*Even the shorter password didn't work */
267 } /*Key from given password didn't work */
270 /*First attempt to get admin token failed */
272 * At this point, we have acquired an administrator token. Let's
273 * proceed to set up a connection to the AuthServer.
275 #ifdef USS_KAUTH_DB_INSTANCE
277 "%s: CreatorInstance after ka_GetAdminToken(): '%s', %d bytes\n",
278 rn, CreatorInstance, strlen(CreatorInstance));
279 #endif /* USS_KAUTH_DB_INSTANCE */
282 * Set up the connection to the AuthServer read/write site.
285 ka_AuthServerConn(uss_Cell, KA_MAINTENANCE_SERVICE, &token,
288 afs_com_err(uss_whoami, code,
289 "while establishing Authentication Server connection");
291 printf("%s: Error code from ka_AuthServerConn: %d\n", rn, code);
292 #endif /* USS_KAUTH_DB */
296 if (uss_Administrator[0]) {
298 * We must check to see if we have local tokens for admin since he'll may do
299 * various pioctl or calls to protection server that require tokens. Remember
300 * to remove this tokens at the end of the program...
302 strcpy(Name.name, "afs");
303 Name.instance[0] = '\0';
304 strncpy(Name.cell, uss_Cell, sizeof(Name.cell));
306 ktc_GetToken(&Name, &token, sizeof(struct ktc_token), &tok))) {
308 ka_UserAuthenticateLife(0, uss_AccountCreator,
309 CreatorInstance, uss_Cell,
310 longPassBuff, 10 * 60 * 60,
318 * Declare our success.
323 } /*InitThisModule */
326 /*-----------------------------------------------------------------------
327 * EXPORTED uss_kauth_AddUser
330 * The uconn_kauthP variable may already be set to an AuthServer
335 *------------------------------------------------------------------------*/
338 uss_kauth_AddUser(char *a_user, char *a_passwd)
339 { /*uss_kauth_AddUser */
341 static char rn[] = "uss_kauth_AddUser"; /*Routine name */
343 struct ktc_encryptionKey ktc_key;
347 if (uss_SkipKaserver) {
349 * Don't talk to the kaserver; assume calls succeded and simply return.
350 * Amasingly people want to update it (most likely kerberos) themselves...
354 ("[Skip Kaserver option - Adding of user %s in Authentication DB not done]\n",
361 * Make sure the module has been initialized before we start trying
362 * to talk to AuthServers.
365 code = InitThisModule();
371 * Given the (unencrypted) password and cell, generate a key to
372 * pass to the AuthServer.
374 ka_StringToKey(a_passwd, uss_Cell, &ktc_key);
376 memcpy(&key, &ktc_key, sizeof(key)); /* XXX - we could just cast */
380 fprintf(stderr, "Adding user '%s' to the Authentication DB\n",
383 #ifdef USS_KAUTH_DB_INSTANCE
385 "%s: KAM_CreateUser: user='%s', CreatorInstance='%s', %d bytes\n",
386 rn, a_user, CreatorInstance, strlen(CreatorInstance));
387 #endif /* USS_KAUTH_DB_INSTANCE */
388 code = ubik_KAM_CreateUser(uconn_kauthP, 0, a_user,
389 UserInstance, /*set by CheckUsername() */
392 if (code == KAEXIST) {
395 "%s: Warning: User '%s' already in Authentication DB\n",
398 afs_com_err(uss_whoami, code,
399 "while adding user '%s' to Authentication DB",
402 printf("%s: Error code from KAM_CreateUser: %d\n", rn, code);
403 #endif /* USS_KAUTH_DB */
406 } /*KAM_CreateUser failed */
410 "\t[Dry run - user '%s' NOT added to Authentication DB]\n",
415 } /*uss_kauth_AddUser */
418 /*-----------------------------------------------------------------------
419 * EXPORTED uss_kauth_DelUser
422 * The uconn_kauthP variable may already be set to an AuthServer
427 *------------------------------------------------------------------------*/
430 uss_kauth_DelUser(char *a_user)
431 { /*uss_kauth_DelUser */
433 static char rn[] = "uss_kauth_DelUser"; /*Routine name */
435 register afs_int32 code; /*Return code */
437 if (uss_SkipKaserver) {
439 * Don't talk to the kaserver; assume calls succeded and simply return.
440 * Amasingly people want to update it (most likely kerberos) themselves...
444 ("[Skip Kaserver option - Deleting of user %s in Authentication DB not done]\n",
450 * Make sure the module has been initialized before we start trying
451 * to talk to AuthServers.
454 code = InitThisModule();
460 #ifdef USS_KAUTH_DB_INSTANCE
461 printf("%s: KAM_DeleteUser: user='%s', CreatorInstance='%s'\n",
462 uss_whoami, a_user, CreatorInstance);
463 #endif /* USS_KAUTH_DB_INSTANCE */
465 printf("Deleting user '%s' from Authentication DB\n", a_user);
466 code = ubik_KAM_DeleteUser(
467 uconn_kauthP, /*Ubik client connection struct */
469 a_user, /*User name to delete */
470 UserInstance); /*set in CheckUserName() */
472 if (code == KANOENT) {
475 ("%s: No entry for user '%s' in Authentication DB\n",
479 afs_com_err(uss_whoami, code,
480 "while deleting entry in Authentication DB\n");
482 printf("%s: Error code from KAM_DeleteUser: %d\n", rn, code);
483 #endif /* USS_KAUTH_DB */
486 } /*KAM_DeleteUser failed */
489 printf("\t[Dry run - user '%s' NOT deleted from Authentication DB]\n",
494 } /*uss_kauth_DelUser */
497 /*-----------------------------------------------------------------------
498 * EXPORTED uss_kauth_CheckUserName
501 * The user name has already been parsed and placed into
506 *------------------------------------------------------------------------*/
509 uss_kauth_CheckUserName(void)
510 { /*uss_kauth_CheckUserName */
512 static char rn[] = "uss_kauth_CheckUserName"; /*Routine name */
514 register afs_int32 code; /*Return code */
516 if (uss_SkipKaserver) {
518 * Don't talk to the kaserver; assume calls succeded and simply return.
519 * Amasingly people want to update it (most likely kerberos) themselves...
523 ("[Skip Kaserver option - Checking of user name in Authentication DB not done]\n");
528 * Make sure the module has been initialized before we start trying
529 * to talk to AuthServers.
532 code = InitThisModule();
538 * Use the AuthServer's own routine to decide if the parsed user name
539 * is legal. Specifically, it can't have any weird characters or
540 * embedded instance or cell names.
542 code = ka_ParseLoginName(uss_User, UserPrincipal, UserInstance, UserCell);
543 if (strlen(UserInstance) > 0) {
545 "%s: User name can't have an instance string ('%s')\n",
546 uss_whoami, UserInstance);
549 if (strlen(UserCell) > 0) {
550 fprintf(stderr, "%s: User name can't have a cell string ('%s')\n",
551 uss_whoami, UserCell);
554 if (strchr(UserPrincipal, ':') != NULL) {
555 fprintf(stderr, "%s: User name '%s' can't have a colon\n", uss_whoami,
559 if (strlen(UserPrincipal) > 8) {
561 "%s: User name '%s' must have 8 or fewer characters\n",
562 uss_whoami, UserPrincipal);
567 * The name's OK in my book. Replace the user name with the parsed
570 strcpy(uss_User, UserPrincipal);
573 } /*uss_kauth_CheckUserName */
577 * EXPORTED uss_kauth_SetFields
580 * The uconn_kauthP variable may already be set to an AuthServer
588 uss_kauth_SetFields(char *username, char *expirestring, char *reuse,
589 char *failures, char *lockout)
592 static char rn[] = "uss_kauth_SetFields";
595 char misc_auth_bytes[4];
599 afs_int32 lifetime = 0;
600 afs_int32 maxAssociates = -1;
601 afs_int32 was_spare = 0;
602 char instance = '\0';
604 int nfailures, locktime, hrs, mins;
606 if (strlen(username) > uss_UserLen) {
608 "%s: * User field in add cmd too long (max is %d chars; truncated value is '%s')\n",
609 uss_whoami, uss_UserLen, uss_User);
613 strcpy(uss_User, username);
614 code = uss_kauth_CheckUserName();
618 /* no point in doing this any sooner than necessary */
619 for (i = 0; i < 4; misc_auth_bytes[i++] = 0);
621 pwexpiry = atoi(expirestring);
622 if (pwexpiry < 0 || pwexpiry > 254) {
623 fprintf(stderr, "Password lifetime range must be [0..254] days.\n");
624 fprintf(stderr, "Zero represents an unlimited lifetime.\n");
626 "Continuing with default lifetime == 0 for user %s.\n",
630 misc_auth_bytes[0] = pwexpiry + 1;
632 if (!strcmp(reuse, "noreuse")) {
633 misc_auth_bytes[1] = KA_NOREUSEPW;
635 misc_auth_bytes[1] = KA_REUSEPW;
636 if (strcmp(reuse, "reuse"))
637 fprintf(stderr, "must specify \"reuse\" or \"noreuse\": \"reuse\" assumed\n");
640 nfailures = atoi(failures);
641 if (nfailures < 0 || nfailures > 254) {
642 fprintf(stderr, "Failure limit must be in [0..254].\n");
643 fprintf(stderr, "Zero represents unlimited login attempts.\n");
644 fprintf(stderr, "Continuing with limit == 254 for user %s.\n",
646 misc_auth_bytes[2] = 255;
648 misc_auth_bytes[2] = nfailures + 1;
651 if (strchr(lockout, ':'))
652 sscanf(lockout, "%d:%d", &hrs, &mins);
654 sscanf(lockout, "%d", &mins);
656 locktime = hrs*60 + mins;
657 if (hrs < 0 || hrs > 36 || mins < 0) {
658 fprintf(stderr,"Lockout times must be either minutes or hh:mm.\n");
659 fprintf(stderr,"Lockout times must be less than 36 hours.\n");
661 } else if (locktime > 36*60) {
662 fprintf(stderr, "Lockout times must be either minutes or hh:mm.\n");
663 fprintf(stderr, "Lockout times must be less than 36 hours.\n");
664 fprintf(stderr, "Continuing with lock time == forever for user %s.\n",
666 misc_auth_bytes[3] = 1;
668 locktime = (locktime * 60 + 511) >> 9; /* ceil(l*60/512) */
669 misc_auth_bytes[3] = locktime + 1;
672 if (uss_SkipKaserver) {
674 printf("[Skipping Kaserver as requested]\n");
679 * Make sure the module has been initialized before we start trying
680 * to talk to AuthServers.
683 code = InitThisModule();
690 fprintf(stderr, "Setting options for '%s' in database.\n",
693 was_spare = pack_long(misc_auth_bytes);
695 if (was_spare || flags || expiration || lifetime
696 || (maxAssociates >= 0)) {
699 expiration = uss_Expires;
701 ubik_Call(KAM_SetFields, uconn_kauthP, 0, username, &instance,
702 flags, expiration, lifetime, maxAssociates,
703 was_spare, /* spare */ 0);
706 "Must specify one of the optional parameters. Continuing...\n");
709 afs_com_err(uss_whoami, code, "calling KAM_SetFields for %s",
716 fprintf(stderr, "\t[Dry run - user '%s' NOT changed.]\n", username);
720 } /*uss_kauth_SetFields */
git://git.openafs.org / openafs.git / blob