5 /* (c) Copyright 1988 by the Massachusetts Institute of Technology. */
6 /* For copying and distribution information, please see the file */
7 /* <mit-copyright.h>. */
10 static char *rcsid_auth_002_c = "$Header$";
13 #include <mit-copyright.h>
19 #include <netinet/in.h>
22 #include <sys/utsname.h>
25 extern char buf[BUFSIZ];
26 extern int have_authorization;
27 extern struct sockaddr_in *client_address();
28 extern CONNECTION conn;
30 extern char *PrincipalHostname();
31 static char service[] = "rcmd";
32 static char master[] = "sms";
33 static char qmark[] = "???";
34 extern C_Block session;
37 * authentication request auth_002:
39 * >>> (STRING) "auth_002"
44 * >>> (STRING) encrypted nonce
54 char host[BUFSIZ], realm[REALM_SZ];
55 char aname[ANAME_SZ], ainst[INST_SZ], arealm[REALM_SZ];
57 char *p, *first, *config_lookup();
62 des_key_schedule sched;
63 C_Block nonce, nonce2;
66 lose("sending okay for authorization (auth_002)");
67 code = receive_object(conn, (char *)&data, STRING_T);
69 code = connection_errno(conn);
70 lose("awaiting Kerberos authenticators");
74 strncpy(host, name.nodename, sizeof(host));
76 gethostname(host, sizeof(host));
79 ticket_st.length = MAX_STRING_SIZE(data);
80 memcpy(ticket_st.dat, STRING_DATA(data), MAX_STRING_SIZE(data));
81 code = krb_rd_req(&ticket_st, service,
82 krb_get_phost(host), 0,
85 code += ERROR_TABLE_BASE_krb;
86 strcpy(ad.pname, qmark);
87 strcpy(ad.pinst, qmark);
88 strcpy(ad.prealm, qmark);
92 /* If there is an auth record in the config file matching the
93 * authenticator we received, then accept it. If there's no
94 * auth record, assume [master]@[local realm].
96 if (first = p = config_lookup("auth")) {
98 kname_parse(aname, ainst, arealm, p);
99 if (strcmp(aname, ad.pname) ||
100 strcmp(ainst, ad.pinst) ||
101 strcmp(arealm, ad.prealm))
102 p = config_lookup("auth");
105 } while (p != first);
107 strcpy(aname, master);
109 if (krb_get_lrealm(arealm,1))
110 strcpy(arealm, KRB_REALM);
113 if (strcmp(aname, ad.pname) ||
114 strcmp(ainst, ad.pinst) ||
115 strcmp(arealm, ad.prealm))
119 lose("sending preliminary approval of authorization");
121 /* replay protection */
122 des_random_key(&nonce);
123 STRING_DATA(data) = (char *)nonce;
124 MAX_STRING_SIZE(data) = 8;
125 if (send_object(conn, (char *)&data, STRING_T))
126 lose("sending nonce");
127 code = receive_object(conn, (char *)&data, STRING_T);
129 code = connection_errno(conn);
132 des_key_sched(&ad.session, &sched);
133 des_ecb_encrypt(STRING_DATA(data), nonce2, sched, 0);
134 if (memcmp(nonce, nonce2, sizeof(nonce)))
138 lose("sending approval of authorization");
139 have_authorization = 1;
140 /* Stash away session key */
141 memcpy(session, ad.session, sizeof(session));
144 sprintf(buf, "auth for %s.%s@%s failed: %s",
145 ad.pname, ad.pinst, ad.prealm, error_message(code));
148 rc = send_object(conn, (char *)&code, INTEGER_T);
152 lose("sending rejection of authenticator");