123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156 |
- /*
- * guard service
- */
- #include <u.h>
- #include <libc.h>
- #include <fcall.h>
- #include <bio.h>
- #include <ndb.h>
- #include <authsrv.h>
- #include "authcmdlib.h"
- enum {
- Pinlen = 4,
- };
- /*
- * c -> a client
- * a -> c challenge prompt
- * c -> a KC'{challenge}
- * a -> c OK or NO
- */
- void catchalarm(void*, char*);
- void getraddr(char*);
- char user[ANAMELEN];
- char raddr[128];
- int debug;
- Ndb *db;
- void
- main(int argc, char *argv[])
- {
- int n;
- long chal;
- char *err;
- char ukey[DESKEYLEN], resp[32], buf[NETCHLEN];
- Ndb *db2;
- ARGBEGIN{
- case 'd':
- debug = 1;
- break;
- }ARGEND;
- db = ndbopen("/lib/ndb/auth");
- if(db == 0)
- syslog(0, AUTHLOG, "no /lib/ndb/auth");
- db2 = ndbopen(0);
- if(db2 == 0)
- syslog(0, AUTHLOG, "no /lib/ndb/local");
- db = ndbcat(db, db2);
- werrstr("");
- strcpy(raddr, "unknown");
- if(argc >= 1)
- getraddr(argv[argc-1]);
- argv0 = "guard";
- srand((getpid()*1103515245)^time(0));
- notify(catchalarm);
- /*
- * read the host and client and get their keys
- */
- if(readarg(0, user, sizeof user) < 0)
- fail(0);
- /*
- * challenge-response
- */
- chal = lnrand(MAXNETCHAL);
- sprint(buf, "challenge: %lud\nresponse: ", chal);
- n = strlen(buf) + 1;
- if(write(1, buf, n) != n){
- if(debug)
- syslog(0, AUTHLOG, "g-fail %s@%s: %r sending chal",
- user, raddr);
- exits("replying to server");
- }
- alarm(3*60*1000);
- werrstr("");
- if(readarg(0, resp, sizeof resp) < 0){
- if(debug)
- syslog(0, AUTHLOG, "g-fail %s@%s: %r reading resp",
- user, raddr);
- fail(0);
- }
- alarm(0);
- /* remove password login from guard.research.bell-labs.com, sucre, etc. */
- // if(!findkey(KEYDB, user, ukey) || !netcheck(ukey, chal, resp))
- if(!findkey(NETKEYDB, user, ukey) || !netcheck(ukey, chal, resp))
- if((err = secureidcheck(user, resp)) != nil){
- print("NO %s", err);
- write(1, "NO", 2);
- if(debug) {
- char *r;
- /*
- * don't log the entire response, since the first
- * Pinlen digits may be the user's secure-id pin.
- */
- if (strlen(resp) < Pinlen)
- r = strdup("<too short for pin>");
- else if (strlen(resp) == Pinlen)
- r = strdup("<pin only>");
- else
- r = smprint("%.*s%s", Pinlen,
- "******************", resp + Pinlen);
- syslog(0, AUTHLOG,
- "g-fail %s@%s: %s: resp %s to chal %lud",
- user, raddr, err, r, chal);
- free(r);
- }
- fail(user);
- }
- write(1, "OK", 2);
- if(debug)
- syslog(0, AUTHLOG, "g-ok %s@%s", user, raddr);
- succeed(user);
- exits(0);
- }
- void
- catchalarm(void *x, char *msg)
- {
- USED(x, msg);
- if(debug)
- syslog(0, AUTHLOG, "g-timed out %s", raddr);
- fail(0);
- }
- void
- getraddr(char *dir)
- {
- int n, fd;
- char *cp;
- char file[128];
- snprint(file, sizeof(file), "%s/remote", dir);
- fd = open(file, OREAD);
- if(fd < 0)
- return;
- n = read(fd, raddr, sizeof(raddr)-1);
- close(fd);
- if(n <= 0)
- return;
- raddr[n] = 0;
- cp = strchr(raddr, '\n');
- if(cp)
- *cp = 0;
- cp = strchr(raddr, '!');
- if(cp)
- *cp = 0;
- }
|