5 /* (c) Copyright 1988 by the Massachusetts Institute of Technology. */
6 /* For copying and distribution information, please see the file */
7 /* <mit-copyright.h>. */
10 static char *rcsid_auth_002_c = "$Header$";
13 #include <mit-copyright.h>
19 #include <netinet/in.h>
22 #include <sys/utsname.h>
25 extern char buf[BUFSIZ];
26 extern int have_authorization;
27 extern struct sockaddr_in *client_address();
28 extern CONNECTION conn;
30 extern char *PrincipalHostname();
31 static char service[] = "rcmd";
32 static char master[] = "sms";
33 static char qmark[] = "???";
34 extern C_Block session;
37 * authentication request auth_002:
39 * >>> (STRING) "auth_002"
44 * >>> (STRING) encrypted nonce
49 int auth_002(char *str)
53 char aname[ANAME_SZ], ainst[INST_SZ], arealm[REALM_SZ];
55 char *p, *first, *config_lookup();
58 des_key_schedule sched;
59 C_Block nonce, nonce2;
62 lose("sending okay for authorization (auth_002)");
63 code = receive_object(conn, (char *)&data, STRING_T);
66 code = connection_errno(conn);
67 lose("awaiting Kerberos authenticators");
71 ticket_st.length = MAX_STRING_SIZE(data);
72 memcpy(ticket_st.dat, STRING_DATA(data), MAX_STRING_SIZE(data));
73 code = krb_rd_req(&ticket_st, service, krb_get_phost(name.nodename), 0,
77 code += ERROR_TABLE_BASE_krb;
78 strcpy(ad.pname, qmark);
79 strcpy(ad.pinst, qmark);
80 strcpy(ad.prealm, qmark);
84 /* If there is an auth record in the config file matching the
85 * authenticator we received, then accept it. If there's no
86 * auth record, assume [master]@[local realm].
88 if (first = p = config_lookup("auth"))
92 kname_parse(aname, ainst, arealm, p);
93 if (strcmp(aname, ad.pname) ||
94 strcmp(ainst, ad.pinst) ||
95 strcmp(arealm, ad.prealm))
96 p = config_lookup("auth");
104 strcpy(aname, master);
106 if (krb_get_lrealm(arealm, 1))
107 strcpy(arealm, KRB_REALM);
110 if (strcmp(aname, ad.pname) ||
111 strcmp(ainst, ad.pinst) ||
112 strcmp(arealm, ad.prealm))
116 lose("sending preliminary approval of authorization");
118 /* replay protection */
119 des_random_key(&nonce);
120 STRING_DATA(data) = (char *)nonce;
121 MAX_STRING_SIZE(data) = 8;
122 if (send_object(conn, (char *)&data, STRING_T))
123 lose("sending nonce");
124 code = receive_object(conn, (char *)&data, STRING_T);
127 code = connection_errno(conn);
130 des_key_sched(ad.session, sched);
131 des_ecb_encrypt(STRING_DATA(data), nonce2, sched, 0);
132 if (memcmp(nonce, nonce2, sizeof(nonce)))
136 lose("sending approval of authorization");
137 have_authorization = 1;
138 /* Stash away session key */
139 memcpy(session, ad.session, sizeof(session));
142 sprintf(buf, "auth for %s.%s@%s failed: %s",
143 ad.pname, ad.pinst, ad.prealm, error_message(code));
146 rc = send_object(conn, (char *)&code, INTEGER_T);
150 lose("sending rejection of authenticator");