2 * Copyright (c) 1997-2005 Kungliga Tekniska Högskolan
3 * (Royal Institute of Technology, Stockholm, Sweden).
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the Institute nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
21 * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
34 #include "kpasswd_locl.h"
37 #include <kadm5/admin.h>
42 #include <kadm5/private.h>
44 static krb5_context context;
45 static krb5_log_facility *log_facility;
47 static struct getarg_strings addresses_str;
48 krb5_addresses explicit_addresses;
50 static sig_atomic_t exit_flag = 0;
53 add_one_address (const char *str, int first)
58 ret = krb5_parse_address (context, str, &tmp);
60 krb5_err (context, 1, ret, "parse_address `%s'", str);
62 krb5_copy_addresses(context, &tmp, &explicit_addresses);
64 krb5_append_addresses(context, &explicit_addresses, &tmp);
65 krb5_free_addresses (context, &tmp);
77 uint16_t len, ap_rep_len;
82 ap_rep_len = ap_rep->length;
86 len = 6 + ap_rep_len + rest->length;
88 *p++ = (len >> 8) & 0xFF;
89 *p++ = (len >> 0) & 0xFF;
92 *p++ = (ap_rep_len >> 8) & 0xFF;
93 *p++ = (ap_rep_len >> 0) & 0xFF;
95 memset (&msghdr, 0, sizeof(msghdr));
96 msghdr.msg_name = (void *)sa;
97 msghdr.msg_namelen = sa_size;
99 msghdr.msg_iovlen = sizeof(iov)/sizeof(*iov);
101 msghdr.msg_control = NULL;
102 msghdr.msg_controllen = 0;
105 iov[0].iov_base = (char *)header;
108 iov[1].iov_base = ap_rep->data;
109 iov[1].iov_len = ap_rep->length;
111 iov[1].iov_base = NULL;
114 iov[2].iov_base = rest->data;
115 iov[2].iov_len = rest->length;
117 if (sendmsg (s, &msghdr, 0) < 0)
118 krb5_warn (context, errno, "sendmsg");
122 make_result (krb5_data *data,
123 uint16_t result_code,
127 krb5_data_zero (data);
129 data->length = asprintf (&str,
131 (result_code >> 8) & 0xFF,
136 krb5_warnx (context, "Out of memory generating error reply");
144 reply_error (krb5_realm realm,
148 krb5_error_code error_code,
149 uint16_t result_code,
153 krb5_data error_data;
155 krb5_principal server = NULL;
157 if (make_result(&e_data, result_code, expl))
161 ret = krb5_make_principal (context, &server, realm,
162 "kadmin", "changepw", NULL);
164 krb5_data_free (&e_data);
169 ret = krb5_mk_error (context,
179 krb5_free_principal(context, server);
180 krb5_data_free (&e_data);
182 krb5_warn (context, ret, "Could not even generate error reply");
185 send_reply (s, sa, sa_size, NULL, &error_data);
186 krb5_data_free (&error_data);
190 reply_priv (krb5_auth_context auth_context,
194 uint16_t result_code,
198 krb5_data krb_priv_data;
199 krb5_data ap_rep_data;
202 ret = krb5_mk_rep (context,
206 krb5_warn (context, ret, "Could not even generate error reply");
210 if (make_result(&e_data, result_code, expl))
213 ret = krb5_mk_priv (context,
218 krb5_data_free (&e_data);
220 krb5_warn (context, ret, "Could not even generate error reply");
223 send_reply (s, sa, sa_size, &ap_rep_data, &krb_priv_data);
224 krb5_data_free (&ap_rep_data);
225 krb5_data_free (&krb_priv_data);
229 * Change the password for `principal', sending the reply back on `s'
230 * (`sa', `sa_size') to `pwd_data'.
234 change (krb5_auth_context auth_context,
235 krb5_principal admin_principal,
243 char *client = NULL, *admin = NULL;
244 const char *pwd_reason;
245 kadm5_config_params conf;
246 void *kadm5_handle = NULL;
247 krb5_principal principal = NULL;
248 krb5_data *pwd_data = NULL;
250 ChangePasswdDataMS chpw;
252 memset (&conf, 0, sizeof(conf));
253 memset(&chpw, 0, sizeof(chpw));
255 if (version == KRB5_KPASSWD_VERS_CHANGEPW) {
256 ret = krb5_copy_data(context, in_data, &pwd_data);
258 krb5_warn (context, ret, "krb5_copy_data");
259 reply_priv (auth_context, s, sa, sa_size, KRB5_KPASSWD_MALFORMED,
260 "out out memory copying password");
263 principal = admin_principal;
264 } else if (version == KRB5_KPASSWD_VERS_SETPW) {
267 ret = decode_ChangePasswdDataMS(in_data->data, in_data->length,
270 krb5_warn (context, ret, "decode_ChangePasswdDataMS");
271 reply_priv (auth_context, s, sa, sa_size, KRB5_KPASSWD_MALFORMED,
272 "malformed ChangePasswdData");
277 ret = krb5_copy_data(context, &chpw.newpasswd, &pwd_data);
279 krb5_warn (context, ret, "krb5_copy_data");
280 reply_priv (auth_context, s, sa, sa_size, KRB5_KPASSWD_MALFORMED,
281 "out out memory copying password");
285 if (chpw.targname == NULL && chpw.targrealm != NULL) {
286 krb5_warn (context, ret, "kadm5_init_with_password_ctx");
287 reply_priv (auth_context, s, sa, sa_size,
288 KRB5_KPASSWD_MALFORMED,
289 "targrealm but not targname");
294 krb5_principal_data princ;
296 princ.name = *chpw.targname;
297 princ.realm = *chpw.targrealm;
298 if (princ.realm == NULL) {
299 ret = krb5_get_default_realm(context, &princ.realm);
303 "kadm5_init_with_password_ctx: "
304 "failed to allocate realm");
305 reply_priv (auth_context, s, sa, sa_size,
306 KRB5_KPASSWD_SOFTERROR,
307 "failed to allocate realm");
311 ret = krb5_copy_principal(context, &princ, &principal);
312 if (*chpw.targrealm == NULL)
315 krb5_warn(context, ret, "krb5_copy_principal");
316 reply_priv(auth_context, s, sa, sa_size,
317 KRB5_KPASSWD_HARDERROR,
318 "failed to allocate principal");
322 principal = admin_principal;
324 krb5_warnx (context, "kadm5_init_with_password_ctx: unknown proto");
325 reply_priv (auth_context, s, sa, sa_size,
326 KRB5_KPASSWD_HARDERROR,
327 "Unknown protocol used");
331 ret = krb5_unparse_name (context, admin_principal, &admin);
333 krb5_warn (context, ret, "unparse_name failed");
334 reply_priv (auth_context, s, sa, sa_size,
335 KRB5_KPASSWD_HARDERROR, "out of memory error");
339 conf.realm = principal->realm;
340 conf.mask |= KADM5_CONFIG_REALM;
342 ret = kadm5_init_with_password_ctx(context,
349 krb5_warn (context, ret, "kadm5_init_with_password_ctx");
350 reply_priv (auth_context, s, sa, sa_size, 2,
355 ret = krb5_unparse_name(context, principal, &client);
357 krb5_warn (context, ret, "unparse_name failed");
358 reply_priv (auth_context, s, sa, sa_size,
359 KRB5_KPASSWD_HARDERROR, "out of memory error");
364 * Check password quality if not changing as administrator
367 if (krb5_principal_compare(context, admin_principal, principal) == TRUE) {
369 pwd_reason = kadm5_check_password_quality (context, principal,
371 if (pwd_reason != NULL ) {
373 "%s didn't pass password quality check with error: %s",
375 reply_priv (auth_context, s, sa, sa_size,
376 KRB5_KPASSWD_SOFTERROR, pwd_reason);
379 krb5_warnx (context, "Changing password for %s", client);
381 ret = _kadm5_acl_check_permission(kadm5_handle, KADM5_PRIV_CPW,
384 krb5_warn (context, ret,
385 "Check ACL failed for %s for changing %s password",
387 reply_priv (auth_context, s, sa, sa_size,
388 KRB5_KPASSWD_HARDERROR, "permission denied");
391 krb5_warnx (context, "%s is changing password for %s", admin, client);
394 ret = krb5_data_realloc(pwd_data, pwd_data->length + 1);
396 krb5_warn (context, ret, "malloc: out of memory");
397 reply_priv (auth_context, s, sa, sa_size, KRB5_KPASSWD_HARDERROR,
401 tmp = pwd_data->data;
402 tmp[pwd_data->length - 1] = '\0';
404 ret = kadm5_s_chpass_principal_cond (kadm5_handle, principal, tmp);
405 krb5_free_data (context, pwd_data);
408 const char *str = krb5_get_error_message(context, ret);
409 krb5_warnx(context, "kadm5_s_chpass_principal_cond: %s", str);
410 reply_priv (auth_context, s, sa, sa_size, KRB5_KPASSWD_SOFTERROR,
411 str ? str : "Internal error");
412 krb5_free_error_message(context, str);
415 reply_priv (auth_context, s, sa, sa_size, KRB5_KPASSWD_SUCCESS,
418 free_ChangePasswdDataMS(&chpw);
419 if (principal != admin_principal)
420 krb5_free_principal(context, principal);
426 krb5_free_data(context, pwd_data);
428 kadm5_destroy (kadm5_handle);
432 verify (krb5_auth_context *auth_context,
435 krb5_ticket **ticket,
445 uint16_t pkt_len, pkt_ver, ap_req_len;
446 krb5_data ap_req_data;
447 krb5_data krb_priv_data;
451 * Only send an error reply if the request passes basic length
452 * verification. Otherwise, kpasswdd would reply to every UDP packet,
453 * allowing an attacker to set up a ping-pong DoS attack via a spoofed UDP
454 * packet with a source address of another UDP service that also replies
457 * Also suppress the error reply if ap_req_len is 0, which indicates
458 * either an invalid request or an error packet. An error packet may be
459 * the result of a ping-pong attacker pointing us at another kpasswdd.
461 pkt_len = (msg[0] << 8) | (msg[1]);
462 pkt_ver = (msg[2] << 8) | (msg[3]);
463 ap_req_len = (msg[4] << 8) | (msg[5]);
464 if (pkt_len != len) {
465 krb5_warnx (context, "Strange len: %ld != %ld",
466 (long)pkt_len, (long)len);
469 if (ap_req_len == 0) {
470 krb5_warnx (context, "Request is error packet (ap_req_len == 0)");
473 if (pkt_ver != KRB5_KPASSWD_VERS_CHANGEPW &&
474 pkt_ver != KRB5_KPASSWD_VERS_SETPW) {
475 krb5_warnx (context, "Bad version (%d)", pkt_ver);
476 reply_error (NULL, s, sa, sa_size, 0, 1, "Wrong program version");
481 ap_req_data.data = msg + 6;
482 ap_req_data.length = ap_req_len;
484 ret = krb5_rd_req (context,
492 krb5_warn (context, ret, "krb5_rd_req");
493 reply_error (NULL, s, sa, sa_size, ret, 3, "Authentication failed");
497 /* verify realm and principal */
498 for (r = realms; *r != NULL; r++) {
499 krb5_principal principal;
502 ret = krb5_make_principal (context,
509 krb5_err (context, 1, ret, "krb5_make_principal");
511 same = krb5_principal_compare(context, principal, (*ticket)->server);
512 krb5_free_principal(context, principal);
518 krb5_unparse_name(context, (*ticket)->server, &str);
519 krb5_warnx (context, "client used not valid principal %s", str);
521 reply_error (NULL, s, sa, sa_size, ret, 1,
526 if (strcmp((*ticket)->server->realm, (*ticket)->client->realm) != 0) {
527 krb5_warnx (context, "server realm (%s) not same a client realm (%s)",
528 (*ticket)->server->realm, (*ticket)->client->realm);
529 reply_error ((*ticket)->server->realm, s, sa, sa_size, ret, 1,
534 if (!(*ticket)->ticket.flags.initial) {
535 krb5_warnx (context, "initial flag not set");
536 reply_error ((*ticket)->server->realm, s, sa, sa_size, ret, 1,
540 krb_priv_data.data = msg + 6 + ap_req_len;
541 krb_priv_data.length = len - 6 - ap_req_len;
543 ret = krb5_rd_priv (context,
550 krb5_warn (context, ret, "krb5_rd_priv");
551 reply_error ((*ticket)->server->realm, s, sa, sa_size, ret, 3,
557 krb5_free_ticket (context, *ticket);
563 process (krb5_realm *realms,
566 krb5_address *this_addr,
573 krb5_auth_context auth_context = NULL;
576 krb5_address other_addr;
580 krb5_data_zero (&out_data);
582 ret = krb5_auth_con_init (context, &auth_context);
584 krb5_warn (context, ret, "krb5_auth_con_init");
588 krb5_auth_con_setflags (context, auth_context,
589 KRB5_AUTH_CONTEXT_DO_SEQUENCE);
591 ret = krb5_sockaddr2address (context, sa, &other_addr);
593 krb5_warn (context, ret, "krb5_sockaddr2address");
597 ret = krb5_auth_con_setaddrs (context,
601 krb5_free_address (context, &other_addr);
603 krb5_warn (context, ret, "krb5_auth_con_setaddr");
607 if (verify (&auth_context, realms, keytab, &ticket, &out_data,
608 &version, s, sa, sa_size, msg, len) == 0) {
609 change (auth_context,
615 memset (out_data.data, 0, out_data.length);
616 krb5_free_ticket (context, ticket);
620 krb5_data_free (&out_data);
621 krb5_auth_con_free (context, auth_context);
625 doit (krb5_keytab keytab, int port)
631 krb5_addresses addrs;
634 struct sockaddr_storage __ss;
635 struct sockaddr *sa = (struct sockaddr *)&__ss;
637 ret = krb5_get_default_realms(context, &realms);
639 krb5_err (context, 1, ret, "krb5_get_default_realms");
641 if (explicit_addresses.len) {
642 addrs = explicit_addresses;
644 ret = krb5_get_all_server_addrs (context, &addrs);
646 krb5_err (context, 1, ret, "krb5_get_all_server_addrs");
650 sockets = malloc (n * sizeof(*sockets));
652 krb5_errx (context, 1, "out of memory");
654 FD_ZERO(&real_fdset);
655 for (i = 0; i < n; ++i) {
656 krb5_socklen_t sa_size = sizeof(__ss);
658 krb5_addr2sockaddr (context, &addrs.val[i], sa, &sa_size, port);
660 sockets[i] = socket (sa->sa_family, SOCK_DGRAM, 0);
662 krb5_err (context, 1, errno, "socket");
663 if (bind (sockets[i], sa, sa_size) < 0) {
666 int save_errno = errno;
668 ret = krb5_print_address (&addrs.val[i], str, sizeof(str), &len);
670 strlcpy(str, "unknown address", sizeof(str));
671 krb5_warn (context, save_errno, "bind(%s)", str);
674 maxfd = max (maxfd, sockets[i]);
675 if (maxfd >= FD_SETSIZE)
676 krb5_errx (context, 1, "fd too large");
677 FD_SET(sockets[i], &real_fdset);
680 krb5_errx (context, 1, "No sockets!");
682 while(exit_flag == 0) {
684 fd_set fdset = real_fdset;
686 ret = select (maxfd + 1, &fdset, NULL, NULL, NULL);
691 krb5_err (context, 1, errno, "select");
693 for (i = 0; i < n; ++i)
694 if (FD_ISSET(sockets[i], &fdset)) {
696 socklen_t addrlen = sizeof(__ss);
698 ret = recvfrom (sockets[i], buf, sizeof(buf), 0,
704 krb5_err (context, 1, errno, "recvfrom");
707 process (realms, keytab, sockets[i],
714 for (i = 0; i < n; ++i)
718 krb5_free_addresses (context, &addrs);
719 krb5_free_host_realm (context, realms);
720 krb5_free_context (context);
730 static const char *check_library = NULL;
731 static const char *check_function = NULL;
732 static getarg_strings policy_libraries = { 0, NULL };
733 static char *keytab_str = "HDB:";
734 static char *realm_str;
735 static int version_flag;
736 static int help_flag;
737 static char *port_str;
738 static char *config_file;
740 struct getargs args[] = {
742 { "check-library", 0, arg_string, &check_library,
743 "library to load password check function from", "library" },
744 { "check-function", 0, arg_string, &check_function,
745 "password check function to load", "function" },
746 { "policy-libraries", 0, arg_strings, &policy_libraries,
747 "password check function to load", "function" },
749 { "addresses", 0, arg_strings, &addresses_str,
750 "addresses to listen on", "list of addresses" },
751 { "keytab", 'k', arg_string, &keytab_str,
752 "keytab to get authentication key from", "kspec" },
753 { "config-file", 'c', arg_string, &config_file },
754 { "realm", 'r', arg_string, &realm_str, "default realm", "realm" },
755 { "port", 'p', arg_string, &port_str, "port" },
756 { "version", 0, arg_flag, &version_flag },
757 { "help", 0, arg_flag, &help_flag }
759 int num_args = sizeof(args) / sizeof(args[0]);
762 main (int argc, char **argv)
769 krb5_program_setup(&context, argc, argv, args, num_args, NULL);
772 krb5_std_usage(0, args, num_args);
778 if (config_file == NULL) {
779 asprintf(&config_file, "%s/kdc.conf", hdb_db_dir(context));
780 if (config_file == NULL)
781 errx(1, "out of memory");
784 ret = krb5_prepend_config_files_default(config_file, &files);
786 krb5_err(context, 1, ret, "getting configuration files");
788 ret = krb5_set_config_files(context, files);
789 krb5_free_config_files(files);
791 krb5_err(context, 1, ret, "reading configuration files");
794 krb5_set_default_realm(context, realm_str);
796 krb5_openlog (context, "kpasswdd", &log_facility);
797 krb5_set_warn_dest(context, log_facility);
799 if (port_str != NULL) {
800 struct servent *s = roken_getservbyname (port_str, "udp");
807 port = strtol (port_str, &ptr, 10);
808 if (port == 0 && ptr == port_str)
809 krb5_errx (context, 1, "bad port `%s'", port_str);
813 port = krb5_getportbyname (context, "kpasswd", "udp", KPASSWD_PORT);
815 ret = krb5_kt_register(context, &hdb_kt_ops);
817 krb5_err(context, 1, ret, "krb5_kt_register");
819 ret = krb5_kt_resolve(context, keytab_str, &keytab);
821 krb5_err(context, 1, ret, "%s", keytab_str);
823 kadm5_setup_passwd_quality_check (context, check_library, check_function);
825 for (i = 0; i < policy_libraries.num_strings; i++) {
826 ret = kadm5_add_passwd_quality_verifier(context,
827 policy_libraries.strings[i]);
829 krb5_err(context, 1, ret, "kadm5_add_passwd_quality_verifier");
831 ret = kadm5_add_passwd_quality_verifier(context, NULL);
833 krb5_err(context, 1, ret, "kadm5_add_passwd_quality_verifier");
836 explicit_addresses.len = 0;
838 if (addresses_str.num_strings) {
841 for (i = 0; i < addresses_str.num_strings; ++i)
842 add_one_address (addresses_str.strings[i], i == 0);
843 free_getarg_strings (&addresses_str);
845 char **foo = krb5_config_get_strings (context, NULL,
846 "kdc", "addresses", NULL);
849 add_one_address (*foo++, TRUE);
851 add_one_address (*foo++, FALSE);
855 #ifdef HAVE_SIGACTION
860 sa.sa_handler = sigterm;
861 sigemptyset(&sa.sa_mask);
863 sigaction(SIGINT, &sa, NULL);
864 sigaction(SIGTERM, &sa, NULL);
867 signal(SIGINT, sigterm);
868 signal(SIGTERM, sigterm);
873 return doit (keytab, port);