3 * Bacula Director -- authorize.c -- handles authorization of
4 * Storage and File daemons.
6 * Kern Sibbald, May MMI
8 * This routine runs as a thread and must be thread reentrant.
14 Copyright (C) 2001-2004 Kern Sibbald and John Walker
16 This program is free software; you can redistribute it and/or
17 modify it under the terms of the GNU General Public License as
18 published by the Free Software Foundation; either version 2 of
19 the License, or (at your option) any later version.
21 This program is distributed in the hope that it will be useful,
22 but WITHOUT ANY WARRANTY; without even the implied warranty of
23 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
24 General Public License for more details.
26 You should have received a copy of the GNU General Public
27 License along with this program; if not, write to the Free
28 Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
36 extern DIRRES *director;
37 extern char my_name[];
39 /* Commands sent to Storage daemon and File daemon and received
40 * from the User Agent */
41 static char hello[] = "Hello Director %s calling\n";
43 /* Response from Storage daemon */
44 static char OKhello[] = "3000 OK Hello\n";
45 static char FDOKhello[] = "2000 OK Hello\n";
47 /* Sent to User Agent */
48 static char Dir_sorry[] = "1999 You are not authorized.\n";
50 /* Forward referenced functions */
53 * Authenticate Storage daemon connection
55 bool authenticate_storage_daemon(JCR *jcr, STORE *store)
57 BSOCK *sd = jcr->store_bsock;
58 char dirname[MAX_NAME_LENGTH];
59 int ssl_need = BNET_SSL_NONE;
60 bool get_auth, auth = false;
63 * Send my name to the Storage daemon then do authentication
65 bstrncpy(dirname, director->hdr.name, sizeof(dirname));
67 /* Timeout Hello after 1 min */
68 btimer_t *tid = start_bsock_timer(sd, AUTH_TIMEOUT);
69 if (!bnet_fsend(sd, hello, dirname)) {
70 stop_bsock_timer(tid);
71 Dmsg1(50, _("Error sending Hello to Storage daemon. ERR=%s\n"), bnet_strerror(sd));
72 Jmsg(jcr, M_FATAL, 0, _("Error sending Hello to Storage daemon. ERR=%s\n"), bnet_strerror(sd));
75 get_auth = cram_md5_get_auth(sd, store->password, ssl_need);
77 auth = cram_md5_auth(sd, store->password, ssl_need);
79 Dmsg1(50, "cram_auth failed for %s\n", sd->who);
82 Dmsg1(50, "cram_get_auth failed for %s\n", sd->who);
84 if (!get_auth || !auth) {
85 stop_bsock_timer(tid);
86 Dmsg0(50, _("Director and Storage daemon passwords or names not the same.\n"));
87 Jmsg0(jcr, M_FATAL, 0,
88 _("Unable to authenticate with Storage daemon. Possible causes:\n"
89 "Passwords or names not the same or\n"
90 "Maximum Concurrent Jobs exceeded on the SD or\n"
91 "SD networking messed up (restart daemon).\n"
92 "Please see http://www.bacula.org/html-manual/faq.html#AuthorizationErrors for help.\n"));
95 Dmsg1(116, ">stored: %s", sd->msg);
96 if (bnet_recv(sd) <= 0) {
97 stop_bsock_timer(tid);
98 Jmsg1(jcr, M_FATAL, 0, _("bdird<stored: bad response to Hello command: ERR=%s\n"),
102 Dmsg1(110, "<stored: %s", sd->msg);
103 stop_bsock_timer(tid);
104 if (strncmp(sd->msg, OKhello, sizeof(OKhello)) != 0) {
105 Dmsg0(50, _("Storage daemon rejected Hello command\n"));
106 Jmsg0(jcr, M_FATAL, 0, _("Storage daemon rejected Hello command\n"));
113 * Authenticate File daemon connection
115 int authenticate_file_daemon(JCR *jcr)
117 BSOCK *fd = jcr->file_bsock;
118 char dirname[MAX_NAME_LENGTH];
119 int ssl_need = BNET_SSL_NONE;
120 bool get_auth, auth = false;
123 * Send my name to the File daemon then do authentication
125 bstrncpy(dirname, director->hdr.name, sizeof(dirname));
126 bash_spaces(dirname);
127 /* Timeout Hello after 10 mins */
128 btimer_t *tid = start_bsock_timer(fd, AUTH_TIMEOUT);
129 if (!bnet_fsend(fd, hello, dirname)) {
130 stop_bsock_timer(tid);
131 Jmsg(jcr, M_FATAL, 0, _("Error sending Hello to File daemon. ERR=%s\n"), bnet_strerror(fd));
134 get_auth = cram_md5_get_auth(fd, jcr->client->password, ssl_need);
136 auth = cram_md5_auth(fd, jcr->client->password, ssl_need);
138 Dmsg1(50, "cram_auth failed for %s\n", fd->who);
141 Dmsg1(50, "cram_get_auth failed for %s\n", fd->who);
143 if (!get_auth || !auth) {
144 stop_bsock_timer(tid);
145 Dmsg0(50, _("Director and File daemon passwords or names not the same.\n"));
146 Jmsg(jcr, M_FATAL, 0,
147 _("Unable to authenticate with File daemon. Possible causes:\n"
148 "Passwords or names not the same or\n"
149 "Maximum Concurrent Jobs exceeded on the FD or\n"
150 "FD networking messed up (restart daemon).\n"
151 "Please see http://www.bacula.org/html-manual/faq.html#AuthorizationErrors for help.\n"));
154 Dmsg1(116, ">filed: %s", fd->msg);
155 if (bnet_recv(fd) <= 0) {
156 stop_bsock_timer(tid);
157 Dmsg1(50, _("Bad response from File daemon to Hello command: ERR=%s\n"),
159 Jmsg(jcr, M_FATAL, 0, _("Bad response from File daemon to Hello command: ERR=%s\n"),
163 Dmsg1(110, "<stored: %s", fd->msg);
164 stop_bsock_timer(tid);
165 if (strncmp(fd->msg, FDOKhello, sizeof(FDOKhello)) != 0) {
166 Dmsg0(50, _("File daemon rejected Hello command\n"));
167 Jmsg(jcr, M_FATAL, 0, _("File daemon rejected Hello command\n"));
173 /*********************************************************************
176 int authenticate_user_agent(UAContext *uac)
178 char name[MAX_NAME_LENGTH];
179 int ssl_need = BNET_SSL_NONE;
181 BSOCK *ua = uac->UA_sock;
183 // Emsg4(M_INFO, 0, _("UA Hello from %s:%s:%d is invalid. Len=%d\n"), ua->who,
184 // ua->host, ua->port, ua->msglen);
185 if (ua->msglen < 16 || ua->msglen >= MAX_NAME_LENGTH + 15) {
186 Emsg4(M_ERROR, 0, _("UA Hello from %s:%s:%d is invalid. Len=%d\n"), ua->who,
187 ua->host, ua->port, ua->msglen);
191 if (sscanf(ua->msg, "Hello %127s calling\n", name) != 1) {
192 ua->msg[100] = 0; /* terminate string */
193 Emsg4(M_ERROR, 0, _("UA Hello from %s:%s:%d is invalid. Got: %s\n"), ua->who,
194 ua->host, ua->port, ua->msg);
197 name[sizeof(name)-1] = 0; /* terminate name */
198 if (strcmp(name, "*UserAgent*") == 0) { /* default console */
199 ok = cram_md5_auth(ua, director->password, ssl_need) &&
200 cram_md5_get_auth(ua, director->password, ssl_need);
203 CONRES *cons = (CONRES *)GetResWithName(R_CONSOLE, name);
205 ok = cram_md5_auth(ua, cons->password, ssl_need) &&
206 cram_md5_get_auth(ua, cons->password, ssl_need);
208 uac->cons = cons; /* save console resource pointer */
215 bnet_fsend(ua, "%s", _(Dir_sorry));
216 Emsg4(M_ERROR, 0, _("Unable to authenticate console \"%s\" at %s:%s:%d.\n"),
217 name, ua->who, ua->host, ua->port);
221 bnet_fsend(ua, "1000 OK: %s Version: " VERSION " (" BDATE ")\n", my_name);