3 * Copyright (C) 1988-1998 by the Massachusetts Institute of Technology.
4 * For copying and distribution information, please see the file
8 #include <mit-copyright.h>
10 #include "update_server.h"
12 #include <sys/utsname.h>
22 extern char buf[BUFSIZ];
23 extern int have_authorization;
24 extern CONNECTION conn;
26 static char service[] = "rcmd";
27 static char master[] = "sms";
28 static char qmark[] = "???";
29 extern C_Block session;
32 * authentication request auth_002:
34 * >>> (STRING) "auth_002"
39 * >>> (STRING) encrypted nonce
44 int auth_002(char *str)
47 char aname[ANAME_SZ], ainst[INST_SZ], arealm[REALM_SZ];
52 des_key_schedule sched;
53 C_Block nonce, nonce2;
56 lose("sending okay for authorization (auth_002)");
57 code = receive_object(conn, (char *)&data, STRING_T);
60 code = connection_errno(conn);
61 lose("awaiting Kerberos authenticators");
65 ticket_st.length = MAX_STRING_SIZE(data);
66 memcpy(ticket_st.dat, STRING_DATA(data), MAX_STRING_SIZE(data));
67 code = krb_rd_req(&ticket_st, service, krb_get_phost(name.nodename), 0,
71 code += ERROR_TABLE_BASE_krb;
72 strcpy(ad.pname, qmark);
73 strcpy(ad.pinst, qmark);
74 strcpy(ad.prealm, qmark);
78 /* If there is an auth record in the config file matching the
79 * authenticator we received, then accept it. If there's no
80 * auth record, assume [master]@[local realm].
82 if ((first = p = config_lookup("auth")))
86 kname_parse(aname, ainst, arealm, p);
87 if (strcmp(aname, ad.pname) ||
88 strcmp(ainst, ad.pinst) ||
89 strcmp(arealm, ad.prealm))
90 p = config_lookup("auth");
98 strcpy(aname, master);
100 if (krb_get_lrealm(arealm, 1))
101 strcpy(arealm, KRB_REALM);
104 if (strcmp(aname, ad.pname) ||
105 strcmp(ainst, ad.pinst) ||
106 strcmp(arealm, ad.prealm))
110 lose("sending preliminary approval of authorization");
112 /* replay protection */
113 des_random_key(&nonce);
114 STRING_DATA(data) = (char *)nonce;
115 MAX_STRING_SIZE(data) = 8;
116 if (send_object(conn, (char *)&data, STRING_T))
117 lose("sending nonce");
118 code = receive_object(conn, (char *)&data, STRING_T);
121 code = connection_errno(conn);
124 des_key_sched(ad.session, sched);
125 des_ecb_encrypt(STRING_DATA(data), nonce2, sched, 0);
126 if (memcmp(nonce, nonce2, sizeof(nonce)))
130 lose("sending approval of authorization");
131 have_authorization = 1;
132 /* Stash away session key */
133 memcpy(session, ad.session, sizeof(session));
136 sprintf(buf, "auth for %s.%s@%s failed: %s",
137 ad.pname, ad.pinst, ad.prealm, error_message(code));
140 rc = send_object(conn, (char *)&code, INTEGER_T);
144 lose("sending rejection of authenticator");