From: Kurt Zeilenga Date: Thu, 14 Jun 2001 05:28:46 +0000 (+0000) Subject: Rip most of Kbind out in prep for adding SASL. X-Git-Tag: LDBM_PRE_GIANT_RWLOCK~1317 X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=5cf21f13fed6bb821dd38571efd1ac717aabd56b;p=openldap Rip most of Kbind out in prep for adding SASL. --- diff --git a/clients/ud/Makefile.in b/clients/ud/Makefile.in index 85c20e4b0e..8632500903 100644 --- a/clients/ud/Makefile.in +++ b/clients/ud/Makefile.in @@ -1,10 +1,10 @@ # $OpenLDAP$ SRCS= main.c find.c mod.c print.c auth.c util.c help.c \ - string_to_key.c group.c edit.c globals.c + group.c edit.c globals.c XSRCS= version.c OBJS= main.o find.o mod.o print.o auth.o util.o help.o \ - string_to_key.o group.o globals.o edit.o + group.o globals.o edit.o HDRS= ud.h PROGRAMS= ud diff --git a/clients/ud/README b/clients/ud/README deleted file mode 100644 index d6ff35fb6d..0000000000 --- a/clients/ud/README +++ /dev/null @@ -1,31 +0,0 @@ -Users ------ -For users, see the man page on ud. - -Installers ----------- -For installers, see the header file. Anything that is configurable is -listed in there as a #define, and the file is pretty well commented. - -Kerberos users --------------- -If you're going to use Kerberos, be sure that you have a Kerberos config file -in /etc/krb.conf of the form: - - - [ admin server ] - -This should be the realm in which users are going to authenticate, which -is not necessarily your realm. - -You can certainly have other entries in this file, but you'll need at least -these two. - -Also be sure that you have the necessary entries in /etc/services so that -your client knows on which port to find a Kerberos authentication server. -An pair of entries like this: - - kerberos 750/udp kdc # Kerberos authentication - kerberos 750/tcp kdc # Kerberos authentication - -is fairly typical. diff --git a/clients/ud/auth.c b/clients/ud/auth.c index 23bfbc83d6..5f74e79369 100644 --- a/clients/ud/auth.c +++ b/clients/ud/auth.c @@ -36,12 +36,6 @@ #include "ldap_defaults.h" #include "ud.h" -#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND -static char tktpath[20]; /* ticket file path */ -static int kinit(); -static int valid_tgt(); -#endif - static void set_bound_dn(char *s); @@ -59,12 +53,6 @@ auth( char *who, int implicit ) char *user; #endif char uidname[20]; -#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND - char **krbnames; /* for kerberos names */ - int kinited, ikrb; - char buf[5]; - extern int krb_debug; -#endif LDAPMessage *mp; /* returned from find() */ static char prompt[MED_BUF_SIZE]; /* place for us to sprintf the prompt */ static char name[MED_BUF_SIZE]; /* place to store the user's name */ @@ -155,88 +143,21 @@ auth( char *who, int implicit ) */ if ( (krbnames = ldap_get_values( ld, mp, "krbName" )) != NULL ) { - int choice, hassimple; - - hassimple = (ldap_compare_s( ld, Entry.DN, - "userPassword", "x" ) == LDAP_COMPARE_FALSE); - (void) ldap_msgfree(mp); - - /* if we're running as a server (e.g., out of inetd) */ - if ( ! isatty( 1 ) ) { - strcpy( tktpath, LDAP_TMPDIR LDAP_DIRSEP "ud_tktXXXXXX" ); - mktemp( tktpath ); - krb_set_tkt_string( tktpath ); - } - - kinited = valid_tgt( krbnames ); - - if ( hassimple && !kinited ) { - printf(" Which password would you like to use?\n"); - printf(" 1 -> LDAP password\n"); -#ifdef UOFM - printf(" 2 -> UMICH password (aka Uniqname or Kerberos password)\n"); -#else - printf(" 2 -> Kerberos password\n"); -#endif - - do { - printf(" Enter 1 or 2: "); - fflush(stdout); - - fetch_buffer(buf, sizeof(buf), stdin); - choice = atoi(buf); - } while (choice != 1 && choice != 2); - - authmethod = (choice == 1 ? LDAP_AUTH_SIMPLE : - LDAP_AUTH_KRBV4); - } else { - authmethod = LDAP_AUTH_KRBV4; - } + authmethod = LDAP_AUTH_KRBV4; + (void) ldap_value_free(krbnames); } else { authmethod = LDAP_AUTH_SIMPLE; - (void) ldap_msgfree(mp); } + (void) ldap_msgfree(mp); /* * if they are already kinited, we don't need to ask for a * password. */ - if ( authmethod == LDAP_AUTH_KRBV4 ) { - if ( ! kinited ) { - if ( krbnames[1] != NULL ) { - int i; - - /* ask which one to use */ -#ifdef UOFM - printf(" Which UMICH (aka Kerberos or uniqname) name would you like to use?\n"); -#else - printf(" Which Kerberos name would you like to use?\n"); -#endif - for ( i = 0; krbnames[i] != NULL; i++ ) { - printf( " %d -> %s\n", i + 1, - krbnames[i] ); - } - do { - printf(" Enter a number between 1 and %d: ", i ); - fflush( stdout ); - - fetch_buffer(buf, sizeof(buf), stdin); - ikrb = atoi(buf) - 1; - } while ( ikrb > i - 1 || ikrb < 0 ); - } else { - ikrb = 0; - } - - /* kinit */ - if ( kinit( krbnames[ikrb] ) != 0 ) { - (void) ldap_value_free(rdns); - (void) ldap_value_free(krbnames); - return(-1); - } - } - } else { + if ( authmethod != LDAP_AUTH_KRBV4 ) #endif + { authmethod = LDAP_AUTH_SIMPLE; sprintf(prompt, " Enter your LDAP password: "); do { @@ -246,10 +167,8 @@ auth( char *who, int implicit ) (void) ldap_value_free(rdns); return(0); } -#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND } - (void) ldap_value_free(krbnames); -#endif + ldap_flush_cache( ld ); rc = ldap_bind_s(ld, Entry.DN, passwd, authmethod); if (rc != LDAP_SUCCESS) { @@ -261,12 +180,11 @@ auth( char *who, int implicit ) #ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND if ( authmethod == LDAP_AUTH_KRBV4 ) { fprintf(stderr, " The Kerberos credentials are invalid.\n"); - } else { + } else #endif + { fprintf(stderr, " The password you provided is incorrect.\n"); -#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND } -#endif else ldap_perror(ld, "ldap_bind_s" ); (void) ldap_bind_s(ld, default_bind_object, @@ -293,138 +211,6 @@ auth( char *who, int implicit ) return(0); } -#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND - -#define FIVEMINS ( 5 * 60 ) -#define TGT "krbtgt" - -static int -valid_tgt( char **names ) -{ - int i; - char name[ ANAME_SZ ], inst[ INST_SZ ], realm[ REALM_SZ ]; - CREDENTIALS cred; - - for ( i = 0; names[i] != NULL; i++ ) { - if ( kname_parse( name, inst, realm, names[i] ) != KSUCCESS ) { - fprintf( stderr, "Bad format for krbName %s\n", - names[i] ); - fprintf( stderr, "Contact x500@umich.edu\n" ); - return( 0 ); - } - -#ifdef HAVE_AFS_KERBEROS - /* - * realm must be uppercase for krb_ routines - */ - ldap_pvt_str2upper( realm ); -#endif /* HAVE_AFS_KERBEROS */ - - /* - * check ticket file for a valid ticket granting ticket - * my check is: have ticket granting ticket and it is good for - * at least 5 more minutes - */ - if ( krb_get_cred( TGT, realm, realm, - &cred ) == KSUCCESS && time( 0 ) + FIVEMINS < - cred.issue_date + (u_char)cred.lifetime * FIVEMINS ) { - return( 1 ); - } - } - - return( 0 ); -} - -static char *kauth_name; - -#ifndef HAVE_KTH_KERBEROS - -/*ARGSUSED*/ -int -krbgetpass( char *user, char *inst, char *realm, char *pw, C_Block key ) -{ - char *p, lcrealm[ REALM_SZ ], prompt[256], *passwd; - -#ifdef UOFM - sprintf(prompt, " Enter the UMICH password (same as Uniqname or Kerberos password)\n for %s: ", kauth_name ); -#else - sprintf(prompt, " Enter Kerberos password for %s: ", kauth_name ); -#endif - do { - passwd = getpassphrase(prompt); - } while (passwd != NULL && *passwd == '\0'); - if (passwd == NULL) { - return(-1); - } - -#ifdef HAVE_AFS_KERBEROS - strcpy( lcrealm, realm ); - for ( p = lcrealm; *p != '\0'; ++p ) { - *p = TOLOWER( (unsigned char) *p ); - } - - ka_StringToKey( passwd, lcrealm, key ); -#else /* HAVE_AFS_KERBEROS */ - string_to_key( passwd, key ); -#endif /* HAVE_AFS_KERBEROS */ - - return( 0 ); -} -#endif /* HAVE_KTH_KERBEROS */ - -static int -kinit( char *kname ) -{ - int rc; - char name[ ANAME_SZ ], inst[ INST_SZ ], realm[ REALM_SZ ]; - - kauth_name = kname; - - if ( kname_parse( name, inst, realm, kname ) != KSUCCESS ) { - fprintf( stderr, "Bad format for krbName %s\n", - kname ); - fprintf( stderr, "Contact x500@umich.edu\n" ); - return( -1 ); - } - -#ifdef HAVE_AFS_KERBEROS - /* realm must be uppercase for AFS krb_ routines */ - ldap_pvt_str2upper( realm ); -#endif /* HAVE_AFS_KERBEROS */ - -#ifdef HAVE_KTH_KERBEROS - /* Kth kerberos knows how to do both string to keys */ - rc = krb_get_pw_in_tkt( name, inst, realm, TGT, realm, - DEFAULT_TKT_LIFE, 0 ); -#else - rc = krb_get_in_tkt( name, inst, realm, TGT, realm, - DEFAULT_TKT_LIFE, krbgetpass, NULL, NULL ); -#endif - - if ( rc != KSUCCESS ) { - switch ( rc ) { - case SKDC_CANT: - fprintf( stderr, "Can't contact Kerberos server for %s\n", realm ); - break; - default: - fprintf( stderr, "%s: %s\n", name, krb_err_txt[ rc ] ); - break; - } - return( -1 ); - } - - return( 0 ); -} - -void -destroy_tickets( void ) -{ - if ( *tktpath != '\0' ) { - unlink( tktpath ); - } -} -#endif - static void set_bound_dn( char *s ) { diff --git a/clients/ud/etc.ud.conf b/clients/ud/etc.ud.conf deleted file mode 100644 index 4566d6ffa1..0000000000 --- a/clients/ud/etc.ud.conf +++ /dev/null @@ -1,2 +0,0 @@ -server -base diff --git a/clients/ud/main.c b/clients/ud/main.c index 4e2dac8adb..8197a2fce9 100644 --- a/clients/ud/main.c +++ b/clients/ud/main.c @@ -279,9 +279,6 @@ do_commands( void ) printf(" Thank you!\n"); ldap_unbind(ld); -#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND - destroy_tickets(); -#endif exit( EXIT_SUCCESS ); /* NOTREACHED */ } diff --git a/clients/ud/string_to_key.c b/clients/ud/string_to_key.c deleted file mode 100644 index 66d2eb6643..0000000000 --- a/clients/ud/string_to_key.c +++ /dev/null @@ -1,261 +0,0 @@ -/* $OpenLDAP$ */ -/* - * Copyright 1998-2000 The OpenLDAP Foundation, All Rights Reserved. - * COPYING RESTRICTIONS APPLY, see COPYRIGHT file - */ -#include "portable.h" - -#if defined(LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND) && !defined(openbsd) -/* - * Copyright 1985, 1986, 1987, 1988, 1989 by the Massachusetts Institute - * of Technology. - * - * For copying and distribution information, please see the file - * . - * - * These routines perform encryption and decryption using the DES - * private key algorithm, or else a subset of it-- fewer inner loops. - * (AUTH_DES_ITER defaults to 16, may be less.) - * - * Under U.S. law, this software may not be exported outside the US - * without license from the U.S. Commerce department. - * - * The key schedule is passed as an arg, as well as the cleartext or - * ciphertext. The cleartext and ciphertext should be in host order. - * - * These routines form the library interface to the DES facilities. - * - * spm 8/85 MIT project athena - */ - -#include -#include - -#if defined( DEBUG ) && defined( HAVE_DES_DEBUG ) -#define USE_DES_DEBUG -extern int des_debug; -#endif - -extern void des_fixup_key_parity(); - -#ifndef HAVE_AFS_KERBEROS -#define WORLDPEACEINOURTIME -#endif - -#if defined(WORLDPEACEINOURTIME) /* Use original, not ifs version */ -#ifndef HAVE_KERBEROS_V -/* - * convert an arbitrary length string to a DES key - */ -void -des_string_to_key( char *str, register des_cblock *key ) -{ - register char *in_str; - register unsigned temp,i; - register int j; - register long length; - static unsigned char *k_p; - static int forward; - register char *p_char; - static char k_char[64]; - static des_key_schedule key_sked; - extern unsigned long des_cbc_cksum(); - - in_str = str; - forward = 1; - p_char = k_char; - length = strlen(str); - - /* init key array for bits */ - memset(k_char, '\0', sizeof(k_char)); - -#ifdef USE_DES_DEBUG - if (des_debug) - fprintf(stdout, - "\n\ninput str length = %d string = %s\nstring = 0x ", - length,str); -#endif - - /* get next 8 bytes, strip parity, xor */ - for (i = 1; i <= length; i++) { - /* get next input key byte */ - temp = (unsigned int) *str++; -#ifdef USE_DES_DEBUG - if (des_debug) - fprintf(stdout,"%02x ",temp & 0xff); -#endif - /* loop through bits within byte, ignore parity */ - for (j = 0; j <= 6; j++) { - if (forward) - *p_char++ ^= (int) temp & 01; - else - *--p_char ^= (int) temp & 01; - temp = temp >> 1; - } while (--j > 0); - - /* check and flip direction */ - if ((i%8) == 0) - forward = !forward; - } - - /* now stuff into the key des_cblock, and force odd parity */ - p_char = k_char; - k_p = (unsigned char *) key; - - for (i = 0; i <= 7; i++) { - temp = 0; - for (j = 0; j <= 6; j++) - temp |= *p_char++ << (1+j); - *k_p++ = (unsigned char) temp; - } - - /* fix key parity */ - des_fixup_key_parity(key); - - /* Now one-way encrypt it with the folded key */ - (void) des_key_sched(key,key_sked); - (void) des_cbc_cksum((des_cblock *)in_str,key,length,key_sked,key); - /* erase key_sked */ - memset((char *)key_sked, '\0', sizeof(key_sked)); - - /* now fix up key parity again */ - des_fixup_key_parity(key); - -#ifdef USE_DES_DEBUG - if (des_debug) - fprintf(stdout, - "\nResulting string_to_key = 0x%lx 0x%lx\n", - *((unsigned long *) key), - *((unsigned long *) key+1)); -#endif -} - -#endif /* HAVE_KERBEROS_V */ -#else /* Use ifs version */ - -#if 0 -#include - /* These two needed for rxgen output to work */ -#include -#include -#include -#include - -#include "/usr/andy/kauth/kauth.h" -#include "/usr/andy/kauth/kautils.h" -#endif - -/* This defines the Andrew string_to_key function. It accepts a password - string as input and converts its via a one-way encryption algorithm to a DES - encryption key. It is compatible with the original Andrew authentication - service password database. */ - -static void -Andrew_StringToKey( - char *str, - char *cell, /* cell for password */ - des_cblock *key -) -{ char password[8+1]; /* crypt is limited to 8 chars anyway */ - int i; - int passlen; - - memset(key, '\0', sizeof(des_cblock)); - memset(password, '\0', sizeof(password)); - - strncpy (password, cell, 8); - passlen = strlen (str); - if (passlen > 8) passlen = 8; - - for (i=0; i sizeof(password)) passlen = sizeof(password); - - AC_MEMCPY(ivec, "kerberos", 8); - AC_MEMCPY(temp_key, "kerberos", 8); - des_fixup_key_parity (temp_key); - des_key_sched (temp_key, schedule); - des_cbc_cksum (password, ivec, passlen, schedule, ivec); - - AC_MEMCPY(temp_key, ivec, 8); - des_fixup_key_parity (temp_key); - des_key_sched (temp_key, schedule); - des_cbc_cksum (password, key, passlen, schedule, ivec); - - des_fixup_key_parity (key); -} - -void -ka_StringToKey ( - char *str, - char *cell, /* cell for password */ - des_cblock *key -) -{ char realm[REALM_SZ]; - -#if NOWAYOUTTODAY - long code; -#if 0 - code = ka_CellToRealm (cell, realm, 0/*local*/); -#endif - if (code) strcpy (realm, ""); - else lcstring (realm, realm, sizeof(realm)); /* for backward compatibility */ -#else - (void)strcpy(realm, cell); -#endif - - if (strlen(str) > 8) StringToKey (str, realm, key); - else Andrew_StringToKey (str, realm, key); -} - -/* - * convert an arbitrary length string to a DES key - */ -int -des_string_to_key( char *str, register des_cblock *key ) -{ - /* NB: i should probably call routine to get local cell here */ - ka_StringToKey(str, "umich.edu", key); - return 0; -} - -#endif /* Use IFS Version */ - -#endif /* kerberos */ diff --git a/clients/ud/ud.h b/clients/ud/ud.h index 6f6d1b461a..7411845f45 100644 --- a/clients/ud/ud.h +++ b/clients/ud/ud.h @@ -82,15 +82,6 @@ #define G_JOIN 0 #define G_RESIGN 1 -/* - * Authentication method we will be using. - */ -#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND -#define UD_AUTH_METHOD LDAP_AUTH_KRBV4 -#else -#define UD_AUTH_METHOD LDAP_AUTH_SIMPLE -#endif - /* * TRUE and FALSE - just in case we need them. */ @@ -193,10 +184,6 @@ extern char Version[]; /* in auth.c: */ int auth LDAP_P(( char *who, int implicit )); -#if defined(LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND) && defined(_AC_KRB_H) -int krbgetpass LDAP_P(( char *u, char *in, char *re, char *pw, C_Block key )); -void destroy_tickets LDAP_P(( void )); -#endif /* in edit.c: */ void edit LDAP_P(( char *who )); @@ -263,16 +250,6 @@ void initialize_attribute_strings LDAP_P(( void )); void print_URL LDAP_P(( struct attribute A )); void print_one_URL LDAP_P(( char *s, int l_lead, char *tag, int u_lead )); -/* in string_to_key.c: */ -#if defined(LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND) && !defined(openbsd) && defined(_AC_KRB_H) -#if defined(HAVE_AFS_KERBEROS) || !defined(HAVE_KERBEROS_V) -void des_string_to_key LDAP_P(( char *str, des_cblock *key )); -#endif -#if defined(HAVE_AFS_KERBEROS) -void ka_StringToKey LDAP_P(( char *str, char *cell, des_cblock *key )); -#endif -#endif - /* in util.c: */ void printbase LDAP_P(( char *lead, char *s )); void fetch_buffer LDAP_P(( char *buffer, int length, FILE *where )); diff --git a/clients/ud/util.c b/clients/ud/util.c index 4989b5c75f..4531c0bb25 100644 --- a/clients/ud/util.c +++ b/clients/ud/util.c @@ -107,9 +107,6 @@ fatal( char *s ) { if (errno != 0) perror(s); -#ifdef LDAP_API_FEATURE_X_OPENLDAP_V2_KBIND - destroy_tickets(); -#endif exit( EXIT_FAILURE ); }