sys/src/cmd/auth/guard.srv.c

   1 /*
   2  * guard service
   3  */
   4 #include <u.h>
   5 #include <libc.h>
   6 #include <fcall.h>
   7 #include <bio.h>
   8 #include <ndb.h>
   9 #include <libsec.h>
  10 #include <authsrv.h>
  11 #include "authcmdlib.h"
  12
  13 enum {
  14         Pinlen = 4,
  15 };
  16
  17 /*
  18  * c -> a       client
  19  * a -> c       challenge prompt
  20  * c -> a       KC'{challenge}
  21  * a -> c       OK or NO
  22  */
  23
  24 void    catchalarm(void*, char*);
  25 void    getraddr(char*);
  26
  27 char    user[ANAMELEN];
  28 char    raddr[128];
  29 int     debug;
  30 Ndb     *db;
  31
  32 void
  33 main(int argc, char *argv[])
  34 {
  35         int n;
  36         long chal;
  37         char *err;
  38         char ukey[DESKEYLEN], resp[32], buf[NETCHLEN];
  39         Ndb *db2;
  40
  41         ARGBEGIN{
  42         case 'd':
  43                 debug = 1;
  44                 break;
  45         }ARGEND;
  46
  47         db = ndbopen("/lib/ndb/auth");
  48         if(db == 0)
  49                 syslog(0, AUTHLOG, "no /lib/ndb/auth");
  50         db2 = ndbopen(0);
  51         if(db2 == 0)
  52                 syslog(0, AUTHLOG, "no /lib/ndb/local");
  53         db = ndbcat(db, db2);
  54         werrstr("");
  55
  56         strcpy(raddr, "unknown");
  57         if(argc >= 1)
  58                 getraddr(argv[argc-1]);
  59
  60         argv0 = "guard";
  61         notify(catchalarm);
  62
  63         /*
  64          * read the host and client and get their keys
  65          */
  66         if(readarg(0, user, sizeof user) < 0)
  67                 fail(0);
  68
  69         /*
  70          * challenge-response
  71          */
  72         chal = nfastrand(MAXNETCHAL);
  73         sprint(buf, "challenge: %lud\nresponse: ", chal);
  74         n = strlen(buf) + 1;
  75         if(write(1, buf, n) != n){
  76                 if(debug)
  77                         syslog(0, AUTHLOG, "g-fail %s@%s: %r sending chal",
  78                                 user, raddr);
  79                 exits("replying to server");
  80         }
  81         alarm(3*60*1000);
  82         werrstr("");
  83         if(readarg(0, resp, sizeof resp) < 0){
  84                 if(debug)
  85                         syslog(0, AUTHLOG, "g-fail %s@%s: %r reading resp",
  86                                 user, raddr);
  87                 fail(0);
  88         }
  89         alarm(0);
  90
  91         /* remove password login from guard.research.bell-labs.com, sucre, etc. */
  92         if(!finddeskey(NETKEYDB, user, ukey) || !netcheck(ukey, chal, resp))
  93         if((err = secureidcheck(user, resp)) != nil){
  94                 print("NO %s", err);
  95                 write(1, "NO", 2);
  96                 if(debug) {
  97                         char *r;
  98
  99                         /*
 100                          * don't log the entire response, since the first
 101                          * Pinlen digits may be the user's secure-id pin.
 102                          */
 103                         if (strlen(resp) < Pinlen)
 104                                 r = strdup("<too short for pin>");
 105                         else if (strlen(resp) == Pinlen)
 106                                 r = strdup("<pin only>");
 107                         else
 108                                 r = smprint("%.*s%s", Pinlen,
 109                                         "******************", resp + Pinlen);
 110                         syslog(0, AUTHLOG,
 111                                 "g-fail %s@%s: %s: resp %s to chal %lud",
 112                                 user, raddr, err, r, chal);
 113                         free(r);
 114                 }
 115                 fail(user);
 116         }
 117         write(1, "OK", 2);
 118         if(debug)
 119                 syslog(0, AUTHLOG, "g-ok %s@%s", user, raddr);
 120         succeed(user);
 121         exits(0);
 122 }
 123
 124 void
 125 catchalarm(void *x, char *msg)
 126 {
 127         USED(x, msg);
 128         if(debug)
 129                 syslog(0, AUTHLOG, "g-timed out %s", raddr);
 130         fail(0);
 131 }
 132
 133 void
 134 getraddr(char *dir)
 135 {
 136         int n, fd;
 137         char *cp;
 138         char file[128];
 139
 140         snprint(file, sizeof(file), "%s/remote", dir);
 141         fd = open(file, OREAD);
 142         if(fd < 0)
 143                 return;
 144         n = read(fd, raddr, sizeof(raddr)-1);
 145         close(fd);
 146         if(n <= 0)
 147                 return;
 148         raddr[n] = 0;
 149         cp = strchr(raddr, '\n');
 150         if(cp)
 151                 *cp = 0;
 152         cp = strchr(raddr, '!');
 153         if(cp)
 154                 *cp = 0;
 155 }