1 /*-
2 * Copyright (c) 1991, 1993
3 * Dave Safford. All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 * 3. Neither the name of the University nor the names of its contributors
14 * may be used to endorse or promote products derived from this software
15 * without specific prior written permission.
16 *
17 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
21 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
26 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
27 * SUCH DAMAGE.
28 *
29 */
30
31 #include <sys/cdefs.h>
32
33 __FBSDID("$FreeBSD$");
34
35 #ifdef SRA
36 #ifdef ENCRYPTION
37 #include <sys/types.h>
38 #include <arpa/telnet.h>
39 #include <pwd.h>
40 #include <stdio.h>
41 #include <stdlib.h>
42 #include <string.h>
43 #include <syslog.h>
44 #include <ttyent.h>
45
46 #ifndef NOPAM
47 #include <security/pam_appl.h>
48 #else
49 #include <unistd.h>
50 #endif
51
52 #include "auth.h"
53 #include "misc.h"
54 #include "encrypt.h"
55 #include "pk.h"
56
57 char pka[HEXKEYBYTES+1], ska[HEXKEYBYTES+1], pkb[HEXKEYBYTES+1];
58 char *user, *pass, *xuser, *xpass;
59 DesData ck;
60 IdeaData ik;
61
62 extern int auth_debug_mode;
63 extern char line[];
64
65 static int sra_valid = 0;
66 static int passwd_sent = 0;
67
68 static unsigned char str_data[1024] = { IAC, SB, TELOPT_AUTHENTICATION, 0,
69 AUTHTYPE_SRA, };
70
71 #define SRA_KEY 0
72 #define SRA_USER 1
73 #define SRA_CONTINUE 2
74 #define SRA_PASS 3
75 #define SRA_ACCEPT 4
76 #define SRA_REJECT 5
77
78 static int check_user(char *, char *);
79
80 /* support routine to send out authentication message */
81 static int
Data(Authenticator * ap,int type,void * d,int c)82 Data(Authenticator *ap, int type, void *d, int c)
83 {
84 unsigned char *p = str_data + 4;
85 unsigned char *cd = (unsigned char *)d;
86
87 if (c == -1)
88 c = strlen((char *)cd);
89
90 if (auth_debug_mode) {
91 printf("%s:%d: [%d] (%d)",
92 str_data[3] == TELQUAL_IS ? ">>>IS" : ">>>REPLY",
93 str_data[3],
94 type, c);
95 printd(d, c);
96 printf("\r\n");
97 }
98 *p++ = ap->type;
99 *p++ = ap->way;
100 *p++ = type;
101 while (c-- > 0) {
102 if ((*p++ = *cd++) == IAC)
103 *p++ = IAC;
104 }
105 *p++ = IAC;
106 *p++ = SE;
107 if (str_data[3] == TELQUAL_IS)
108 printsub('>', &str_data[2], p - (&str_data[2]));
109 return(net_write(str_data, p - str_data));
110 }
111
112 int
sra_init(Authenticator * ap __unused,int server)113 sra_init(Authenticator *ap __unused, int server)
114 {
115 if (server)
116 str_data[3] = TELQUAL_REPLY;
117 else
118 str_data[3] = TELQUAL_IS;
119
120 user = (char *)malloc(256);
121 xuser = (char *)malloc(513);
122 pass = (char *)malloc(256);
123 xpass = (char *)malloc(513);
124
125 if (user == NULL || xuser == NULL || pass == NULL || xpass ==
126 NULL)
127 return 0; /* malloc failed */
128
129 passwd_sent = 0;
130
131 genkeys(pka,ska);
132 return(1);
133 }
134
135 /* client received a go-ahead for sra */
136 int
sra_send(Authenticator * ap)137 sra_send(Authenticator *ap)
138 {
139 /* send PKA */
140
141 if (auth_debug_mode)
142 printf("Sent PKA to server.\r\n" );
143 printf("Trying SRA secure login:\r\n");
144 if (!Data(ap, SRA_KEY, (void *)pka, HEXKEYBYTES)) {
145 if (auth_debug_mode)
146 printf("Not enough room for authentication data\r\n");
147 return(0);
148 }
149
150 return(1);
151 }
152
153 /* server received an IS -- could be SRA KEY, USER, or PASS */
154 void
sra_is(Authenticator * ap,unsigned char * data,int cnt)155 sra_is(Authenticator *ap, unsigned char *data, int cnt)
156 {
157 int valid;
158 Session_Key skey;
159
160 if (cnt-- < 1)
161 goto bad;
162 switch (*data++) {
163
164 case SRA_KEY:
165 if (cnt < HEXKEYBYTES) {
166 Data(ap, SRA_REJECT, (void *)0, 0);
167 auth_finished(ap, AUTH_USER);
168 if (auth_debug_mode) {
169 printf("SRA user rejected for bad PKB\r\n");
170 }
171 return;
172 }
173 if (auth_debug_mode)
174 printf("Sent pka\r\n");
175 if (!Data(ap, SRA_KEY, (void *)pka, HEXKEYBYTES)) {
176 if (auth_debug_mode)
177 printf("Not enough room\r\n");
178 return;
179 }
180 memcpy(pkb,data,HEXKEYBYTES);
181 pkb[HEXKEYBYTES] = '\0';
182 common_key(ska,pkb,&ik,&ck);
183 return;
184
185 case SRA_USER:
186 /* decode KAB(u) */
187 if (cnt > 512) /* Attempted buffer overflow */
188 break;
189 memcpy(xuser,data,cnt);
190 xuser[cnt] = '\0';
191 pk_decode(xuser,user,&ck);
192 auth_encrypt_user(user);
193 Data(ap, SRA_CONTINUE, (void *)0, 0);
194
195 return;
196
197 case SRA_PASS:
198 if (cnt > 512) /* Attempted buffer overflow */
199 break;
200 /* decode KAB(P) */
201 memcpy(xpass,data,cnt);
202 xpass[cnt] = '\0';
203 pk_decode(xpass,pass,&ck);
204
205 /* check user's password */
206 valid = check_user(user,pass);
207
208 if(valid) {
209 Data(ap, SRA_ACCEPT, (void *)0, 0);
210 skey.data = ck;
211 skey.type = SK_DES;
212 skey.length = 8;
213 encrypt_session_key(&skey, 1);
214
215 sra_valid = 1;
216 auth_finished(ap, AUTH_VALID);
217 if (auth_debug_mode) {
218 printf("SRA user accepted\r\n");
219 }
220 }
221 else {
222 Data(ap, SRA_CONTINUE, (void *)0, 0);
223 /*
224 Data(ap, SRA_REJECT, (void *)0, 0);
225 sra_valid = 0;
226 auth_finished(ap, AUTH_REJECT);
227 */
228 if (auth_debug_mode) {
229 printf("SRA user failed\r\n");
230 }
231 }
232 return;
233
234 default:
235 if (auth_debug_mode)
236 printf("Unknown SRA option %d\r\n", data[-1]);
237 }
238 bad:
239 Data(ap, SRA_REJECT, 0, 0);
240 sra_valid = 0;
241 auth_finished(ap, AUTH_REJECT);
242 }
243
244 /* client received REPLY -- could be SRA KEY, CONTINUE, ACCEPT, or REJECT */
245 void
sra_reply(Authenticator * ap,unsigned char * data,int cnt)246 sra_reply(Authenticator *ap, unsigned char *data, int cnt)
247 {
248 char uprompt[256 + 10]; /* +10 for "User (): " */
249 char tuser[256];
250 Session_Key skey;
251 size_t i, len;
252
253 if (cnt-- < 1)
254 return;
255 switch (*data++) {
256
257 case SRA_KEY:
258 /* calculate common key */
259 if (cnt < HEXKEYBYTES) {
260 if (auth_debug_mode) {
261 printf("SRA user rejected for bad PKB\r\n");
262 }
263 return;
264 }
265 memcpy(pkb,data,HEXKEYBYTES);
266 pkb[HEXKEYBYTES] = '\0';
267
268 common_key(ska,pkb,&ik,&ck);
269
270 enc_user:
271
272 /* encode user */
273 memset(tuser,0,sizeof(tuser));
274 len = snprintf(uprompt, sizeof(uprompt), "User (%s): ",
275 UserNameRequested);
276 if (len >= sizeof(uprompt)) {
277 if (auth_debug_mode) {
278 printf("SRA user name too long\r\n");
279 }
280 return;
281 }
282 telnet_gets(uprompt, tuser, sizeof(tuser) - 1, 1);
283 if (tuser[0] == '\n' || tuser[0] == '\r' )
284 strcpy(user,UserNameRequested);
285 else {
286 /* telnet_gets leaves the newline on */
287 for(i=0;i<sizeof(tuser);i++) {
288 if (tuser[i] == '\n') {
289 tuser[i] = '\0';
290 break;
291 }
292 }
293 strcpy(user,tuser);
294 }
295 pk_encode(user,xuser,&ck);
296
297 /* send it off */
298 if (auth_debug_mode)
299 printf("Sent KAB(U)\r\n");
300 if (!Data(ap, SRA_USER, (void *)xuser, strlen(xuser))) {
301 if (auth_debug_mode)
302 printf("Not enough room\r\n");
303 return;
304 }
305 break;
306
307 case SRA_CONTINUE:
308 if (passwd_sent) {
309 passwd_sent = 0;
310 printf("[ SRA login failed ]\r\n");
311 goto enc_user;
312 }
313 /* encode password */
314 memset(pass,0,256);
315 telnet_gets("Password: ",pass,255,0);
316 pk_encode(pass,xpass,&ck);
317 /* send it off */
318 if (auth_debug_mode)
319 printf("Sent KAB(P)\r\n");
320 if (!Data(ap, SRA_PASS, (void *)xpass, strlen(xpass))) {
321 if (auth_debug_mode)
322 printf("Not enough room\r\n");
323 return;
324 }
325 passwd_sent = 1;
326 break;
327
328 case SRA_REJECT:
329 printf("[ SRA refuses authentication ]\r\n");
330 printf("Trying plaintext login:\r\n");
331 auth_finished(0,AUTH_REJECT);
332 return;
333
334 case SRA_ACCEPT:
335 printf("[ SRA accepts you ]\r\n");
336 skey.data = ck;
337 skey.type = SK_DES;
338 skey.length = 8;
339 encrypt_session_key(&skey, 0);
340
341 auth_finished(ap, AUTH_VALID);
342 return;
343 default:
344 if (auth_debug_mode)
345 printf("Unknown SRA option %d\r\n", data[-1]);
346 return;
347 }
348 }
349
350 int
sra_status(Authenticator * ap __unused,char * name,int level)351 sra_status(Authenticator *ap __unused, char *name, int level)
352 {
353 if (level < AUTH_USER)
354 return(level);
355 if (UserNameRequested && sra_valid) {
356 strcpy(name, UserNameRequested);
357 return(AUTH_VALID);
358 } else
359 return(AUTH_USER);
360 }
361
362 #define BUMP(buf, len) while (*(buf)) {++(buf), --(len);}
363 #define ADDC(buf, len, c) if ((len) > 0) {*(buf)++ = (c); --(len);}
364
365 void
sra_printsub(unsigned char * data,int cnt,unsigned char * buf,int buflen)366 sra_printsub(unsigned char *data, int cnt, unsigned char *buf, int buflen)
367 {
368 char lbuf[32];
369 int i;
370
371 buf[buflen-1] = '\0'; /* make sure its NULL terminated */
372 buflen -= 1;
373
374 switch(data[3]) {
375
376 case SRA_CONTINUE:
377 strncpy((char *)buf, " CONTINUE ", buflen);
378 goto common;
379
380 case SRA_REJECT: /* Rejected (reason might follow) */
381 strncpy((char *)buf, " REJECT ", buflen);
382 goto common;
383
384 case SRA_ACCEPT: /* Accepted (name might follow) */
385 strncpy((char *)buf, " ACCEPT ", buflen);
386
387 common:
388 BUMP(buf, buflen);
389 if (cnt <= 4)
390 break;
391 ADDC(buf, buflen, '"');
392 for (i = 4; i < cnt; i++)
393 ADDC(buf, buflen, data[i]);
394 ADDC(buf, buflen, '"');
395 ADDC(buf, buflen, '\0');
396 break;
397
398 case SRA_KEY: /* Authentication data follows */
399 strncpy((char *)buf, " KEY ", buflen);
400 goto common2;
401
402 case SRA_USER:
403 strncpy((char *)buf, " USER ", buflen);
404 goto common2;
405
406 case SRA_PASS:
407 strncpy((char *)buf, " PASS ", buflen);
408 goto common2;
409
410 default:
411 sprintf(lbuf, " %d (unknown)", data[3]);
412 strncpy((char *)buf, lbuf, buflen);
413 common2:
414 BUMP(buf, buflen);
415 for (i = 4; i < cnt; i++) {
416 sprintf(lbuf, " %d", data[i]);
417 strncpy((char *)buf, lbuf, buflen);
418 BUMP(buf, buflen);
419 }
420 break;
421 }
422 }
423
424 static int
isroot(const char * usr)425 isroot(const char *usr)
426 {
427 struct passwd *pwd;
428
429 if ((pwd=getpwnam(usr))==NULL)
430 return 0;
431 return (!pwd->pw_uid);
432 }
433
434 static int
rootterm(char * ttyn)435 rootterm(char *ttyn)
436 {
437 struct ttyent *t;
438
439 return ((t = getttynam(ttyn)) && t->ty_status & TTY_SECURE);
440 }
441
442 #ifdef NOPAM
443 static int
check_user(char * name,char * cred)444 check_user(char *name, char *cred)
445 {
446 char *cp;
447 char *xpasswd, *salt;
448
449 if (isroot(name) && !rootterm(line))
450 {
451 crypt("AA","*"); /* Waste some time to simulate success */
452 return(0);
453 }
454
455 if (pw = sgetpwnam(name)) {
456 if (pw->pw_shell == NULL) {
457 pw = (struct passwd *) NULL;
458 return(0);
459 }
460
461 salt = pw->pw_passwd;
462 xpasswd = crypt(cred, salt);
463 /* The strcmp does not catch null passwords! */
464 if (pw == NULL || *pw->pw_passwd == '\0' ||
465 strcmp(xpasswd, pw->pw_passwd)) {
466 pw = (struct passwd *) NULL;
467 return(0);
468 }
469 return(1);
470 }
471 return(0);
472 }
473 #else
474
475 /*
476 * The following is stolen from ftpd, which stole it from the imap-uw
477 * PAM module and login.c. It is needed because we can't really
478 * "converse" with the user, having already gone to the trouble of
479 * getting their username and password through an encrypted channel.
480 */
481
482 #define COPY_STRING(s) (s ? strdup(s):NULL)
483
484 struct cred_t {
485 const char *uname;
486 const char *pass;
487 };
488 typedef struct cred_t cred_t;
489
490 static int
auth_conv(int num_msg,const struct pam_message ** msg,struct pam_response ** resp,void * appdata)491 auth_conv(int num_msg, const struct pam_message **msg, struct pam_response **resp, void *appdata)
492 {
493 int i;
494 cred_t *cred = (cred_t *) appdata;
495 struct pam_response *reply =
496 malloc(sizeof(struct pam_response) * num_msg);
497
498 if (reply == NULL)
499 return PAM_BUF_ERR;
500
501 for (i = 0; i < num_msg; i++) {
502 switch (msg[i]->msg_style) {
503 case PAM_PROMPT_ECHO_ON: /* assume want user name */
504 reply[i].resp_retcode = PAM_SUCCESS;
505 reply[i].resp = COPY_STRING(cred->uname);
506 /* PAM frees resp. */
507 break;
508 case PAM_PROMPT_ECHO_OFF: /* assume want password */
509 reply[i].resp_retcode = PAM_SUCCESS;
510 reply[i].resp = COPY_STRING(cred->pass);
511 /* PAM frees resp. */
512 break;
513 case PAM_TEXT_INFO:
514 case PAM_ERROR_MSG:
515 reply[i].resp_retcode = PAM_SUCCESS;
516 reply[i].resp = NULL;
517 break;
518 default: /* unknown message style */
519 free(reply);
520 return PAM_CONV_ERR;
521 }
522 }
523
524 *resp = reply;
525 return PAM_SUCCESS;
526 }
527
528 /*
529 * The PAM version as a side effect may put a new username in *name.
530 */
531 static int
check_user(char * name,char * cred)532 check_user(char *name, char *cred)
533 {
534 pam_handle_t *pamh = NULL;
535 const void *item;
536 int rval;
537 int e;
538 cred_t auth_cred = { name, cred };
539 struct pam_conv conv = { &auth_conv, &auth_cred };
540
541 e = pam_start("telnetd", name, &conv, &pamh);
542 if (e != PAM_SUCCESS) {
543 syslog(LOG_ERR, "pam_start: %s", pam_strerror(pamh, e));
544 return 0;
545 }
546
547 #if 0 /* Where can we find this value? */
548 e = pam_set_item(pamh, PAM_RHOST, remotehost);
549 if (e != PAM_SUCCESS) {
550 syslog(LOG_ERR, "pam_set_item(PAM_RHOST): %s",
551 pam_strerror(pamh, e));
552 return 0;
553 }
554 #endif
555
556 e = pam_authenticate(pamh, 0);
557 switch (e) {
558 case PAM_SUCCESS:
559 /*
560 * With PAM we support the concept of a "template"
561 * user. The user enters a login name which is
562 * authenticated by PAM, usually via a remote service
563 * such as RADIUS or TACACS+. If authentication
564 * succeeds, a different but related "template" name
565 * is used for setting the credentials, shell, and
566 * home directory. The name the user enters need only
567 * exist on the remote authentication server, but the
568 * template name must be present in the local password
569 * database.
570 *
571 * This is supported by two various mechanisms in the
572 * individual modules. However, from the application's
573 * point of view, the template user is always passed
574 * back as a changed value of the PAM_USER item.
575 */
576 if ((e = pam_get_item(pamh, PAM_USER, &item)) ==
577 PAM_SUCCESS) {
578 strcpy(name, item);
579 } else
580 syslog(LOG_ERR, "Couldn't get PAM_USER: %s",
581 pam_strerror(pamh, e));
582 if (isroot(name) && !rootterm(line))
583 rval = 0;
584 else
585 rval = 1;
586 break;
587
588 case PAM_AUTH_ERR:
589 case PAM_USER_UNKNOWN:
590 case PAM_MAXTRIES:
591 rval = 0;
592 break;
593
594 default:
595 syslog(LOG_ERR, "auth_pam: %s", pam_strerror(pamh, e));
596 rval = 0;
597 break;
598 }
599
600 if ((e = pam_end(pamh, e)) != PAM_SUCCESS) {
601 syslog(LOG_ERR, "pam_end: %s", pam_strerror(pamh, e));
602 rval = 0;
603 }
604 return rval;
605 }
606
607 #endif
608
609 #endif /* ENCRYPTION */
610 #endif /* SRA */
611