summaryrefslogtreecommitdiffstats
path: root/third_party/heimdal/kpasswd
diff options
context:
space:
mode:
Diffstat (limited to 'third_party/heimdal/kpasswd')
-rw-r--r--third_party/heimdal/kpasswd/Makefile.am30
-rw-r--r--third_party/heimdal/kpasswd/NTMakefile51
-rw-r--r--third_party/heimdal/kpasswd/kpasswd-generator.c216
-rw-r--r--third_party/heimdal/kpasswd/kpasswd.168
-rw-r--r--third_party/heimdal/kpasswd/kpasswd.c249
-rw-r--r--third_party/heimdal/kpasswd/kpasswd_locl.h105
-rw-r--r--third_party/heimdal/kpasswd/kpasswdd.8110
-rw-r--r--third_party/heimdal/kpasswd/kpasswdd.c914
8 files changed, 1743 insertions, 0 deletions
diff --git a/third_party/heimdal/kpasswd/Makefile.am b/third_party/heimdal/kpasswd/Makefile.am
new file mode 100644
index 0000000..88132df
--- /dev/null
+++ b/third_party/heimdal/kpasswd/Makefile.am
@@ -0,0 +1,30 @@
+# $Id$
+
+include $(top_srcdir)/Makefile.am.common
+
+man_MANS = kpasswd.1 kpasswdd.8
+
+bin_PROGRAMS = kpasswd
+
+kpasswd_SOURCES = kpasswd.c kpasswd_locl.h
+
+libexec_PROGRAMS = kpasswdd
+
+noinst_PROGRAMS = kpasswd-generator
+
+kpasswdd_SOURCES = kpasswdd.c kpasswd_locl.h
+
+kpasswdd_LDADD = \
+ $(top_builddir)/lib/kadm5/libkadm5srv.la \
+ $(top_builddir)/lib/hdb/libhdb.la \
+ $(LDADD) \
+ $(LIB_pidfile) \
+ $(LIB_dlopen) \
+ $(DB3LIB) $(DB1LIB) $(LMDBLIB) $(NDBMLIB)
+
+LDADD = $(top_builddir)/lib/krb5/libkrb5.la \
+ $(LIB_hcrypto) \
+ $(top_builddir)/lib/asn1/libasn1.la \
+ $(LIB_roken)
+
+EXTRA_DIST = NTMakefile $(man_MANS)
diff --git a/third_party/heimdal/kpasswd/NTMakefile b/third_party/heimdal/kpasswd/NTMakefile
new file mode 100644
index 0000000..382ae08
--- /dev/null
+++ b/third_party/heimdal/kpasswd/NTMakefile
@@ -0,0 +1,51 @@
+########################################################################
+#
+# Copyright (c) 2009, Secure Endpoints Inc.
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+#
+# - Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+#
+# - Redistributions in binary form must reproduce the above copyright
+# notice, this list of conditions and the following disclaimer in
+# the documentation and/or other materials provided with the
+# distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+# FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+# COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+# BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
+# ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+# POSSIBILITY OF SUCH DAMAGE.
+#
+
+RELDIR=kpasswd
+
+!include ../windows/NTMakefile.w32
+
+BINPROGRAMS=\
+ $(BINDIR)\kpasswd.exe
+
+KPASSWDLIBS=\
+ $(LIBROKEN) \
+ $(LIBHEIMDAL) \
+ $(LIBVERS)
+
+$(BINDIR)\kpasswd.exe: $(OBJ)\kpasswd.obj $(KPASSWDLIBS)
+ $(EXECONLINK)
+ $(EXEPREP)
+
+all:: $(BINPROGRAMS)
+
+clean::
+ -$(RM) $(BINPROGRAMS)
diff --git a/third_party/heimdal/kpasswd/kpasswd-generator.c b/third_party/heimdal/kpasswd/kpasswd-generator.c
new file mode 100644
index 0000000..4fb4945
--- /dev/null
+++ b/third_party/heimdal/kpasswd/kpasswd-generator.c
@@ -0,0 +1,216 @@
+/*
+ * Copyright (c) 2000 - 2004 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors
+ * may be used to endorse or promote products derived from this software
+ * without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "kpasswd_locl.h"
+
+RCSID("$Id$");
+
+static unsigned
+read_words(const char *filename, char ***ret_w)
+{
+ unsigned n, alloc;
+ FILE *f;
+ char buf[256];
+ char **w = NULL;
+
+ f = fopen(filename, "r");
+ if (f == NULL)
+ err(1, "cannot open %s", filename);
+ alloc = n = 0;
+ while (fgets(buf, sizeof(buf), f) != NULL) {
+ buf[strcspn(buf, "\r\n")] = '\0';
+ if (n >= alloc) {
+ alloc += 16;
+ w = erealloc(w, alloc * sizeof(char *));
+ }
+ w[n++] = estrdup(buf);
+ }
+ *ret_w = w;
+ if (n == 0)
+ errx(1, "%s is an empty file, no words to try", filename);
+ fclose(f);
+ return n;
+}
+
+static int
+nop_prompter(krb5_context context,
+ void *data,
+ const char *name,
+ const char *banner,
+ int num_prompts,
+ krb5_prompt prompts[])
+{
+ return 0;
+}
+
+static void
+generate_requests(const char *filename, unsigned nreq)
+{
+ krb5_context context;
+ krb5_error_code ret;
+ int i;
+ char **words;
+ unsigned nwords, k;
+
+ ret = krb5_init_context(&context);
+ if (ret)
+ errx (1, "krb5_init_context failed: %d", ret);
+
+ nwords = read_words(filename, &words);
+
+ for (i = 0; i < nreq; ++i) {
+ char *name = words[rand() % nwords];
+ krb5_get_init_creds_opt *opt;
+ krb5_creds cred;
+ krb5_principal principal;
+ int result_code;
+ krb5_data result_code_string, result_string;
+ char *old_pwd, *new_pwd;
+ int aret;
+
+ krb5_get_init_creds_opt_alloc(context, &opt);
+ krb5_get_init_creds_opt_set_tkt_life (opt, 300);
+ krb5_get_init_creds_opt_set_forwardable (opt, FALSE);
+ krb5_get_init_creds_opt_set_proxiable (opt, FALSE);
+
+ ret = krb5_parse_name(context, name, &principal);
+ if (ret)
+ krb5_err(context, 1, ret, "krb5_parse_name %s", name);
+
+ aret = asprintf(&old_pwd, "%s", name);
+ if (aret == -1)
+ krb5_errx(context, 1, "out of memory");
+ aret = asprintf(&new_pwd, "%s2", name);
+ if (aret == -1)
+ krb5_errx(context, 1, "out of memory");
+
+ ret = krb5_get_init_creds_password(context,
+ &cred,
+ principal,
+ old_pwd,
+ nop_prompter,
+ NULL,
+ 0,
+ "kadmin/changepw",
+ opt);
+ if (ret == KRB5KRB_AP_ERR_BAD_INTEGRITY
+ || ret == KRB5KRB_AP_ERR_MODIFIED) {
+ char *tmp;
+
+ tmp = new_pwd;
+ new_pwd = old_pwd;
+ old_pwd = tmp;
+
+ ret = krb5_get_init_creds_password(context,
+ &cred,
+ principal,
+ old_pwd,
+ nop_prompter,
+ NULL,
+ 0,
+ "kadmin/changepw",
+ opt);
+ }
+ if (ret)
+ krb5_err(context, 1, ret, "krb5_get_init_creds_password");
+
+ krb5_free_principal(context, principal);
+
+
+ ret = krb5_set_password(context,
+ &cred,
+ new_pwd,
+ NULL,
+ &result_code,
+ &result_code_string,
+ &result_string);
+ if (ret)
+ krb5_err(context, 1, ret, "krb5_change_password");
+
+ free(old_pwd);
+ free(new_pwd);
+ krb5_free_cred_contents(context, &cred);
+ krb5_get_init_creds_opt_free(context, opt);
+ }
+
+ for (k = 0; k < nwords; k++)
+ free(words[k]);
+ free(words);
+}
+
+static int version_flag = 0;
+static int help_flag = 0;
+
+static struct getargs args[] = {
+ { "version", 0, arg_flag, &version_flag, NULL, NULL },
+ { "help", 0, arg_flag, &help_flag, NULL, NULL }
+};
+
+static void
+usage(int ret)
+{
+ arg_printusage(args,
+ sizeof(args)/sizeof(*args),
+ NULL,
+ "file [number]");
+ exit (ret);
+}
+
+int
+main(int argc, char **argv)
+{
+ int optidx = 0;
+ int nreq;
+ char *end;
+
+ setprogname(argv[0]);
+ if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optidx))
+ usage(1);
+ if (help_flag)
+ usage (0);
+ if (version_flag) {
+ print_version(NULL);
+ return 0;
+ }
+ argc -= optidx;
+ argv += optidx;
+
+ if (argc != 2)
+ usage (1);
+ srand (0);
+ nreq = strtol(argv[1], &end, 0);
+ if (argv[1] == end || *end != '\0')
+ usage (1);
+ generate_requests(argv[0], nreq);
+ return 0;
+}
diff --git a/third_party/heimdal/kpasswd/kpasswd.1 b/third_party/heimdal/kpasswd/kpasswd.1
new file mode 100644
index 0000000..679b389
--- /dev/null
+++ b/third_party/heimdal/kpasswd/kpasswd.1
@@ -0,0 +1,68 @@
+.\" Copyright (c) 1997, 2000 - 2005 Kungliga Tekniska Högskolan
+.\" (Royal Institute of Technology, Stockholm, Sweden).
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\"
+.\" 1. Redistributions of source code must retain the above copyright
+.\" notice, this list of conditions and the following disclaimer.
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\" notice, this list of conditions and the following disclaimer in the
+.\" documentation and/or other materials provided with the distribution.
+.\"
+.\" 3. Neither the name of the Institute nor the names of its contributors
+.\" may be used to endorse or promote products derived from this software
+.\" without specific prior written permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.\" $Id$
+.\"
+.Dd January 5, 2005
+.Dt KPASSWD 1
+.Os HEIMDAL
+.Sh NAME
+.Nm kpasswd
+.Nd Kerberos 5 password changing program
+.Sh SYNOPSIS
+.Nm
+.Op Fl Fl admin-principal= Ns Ar principal
+.Oo Fl c Ar cache \*(Ba Xo
+.Fl Fl cache= Ns Ar cache
+.Xc
+.Oc
+.Op Ar principal ...
+.Sh DESCRIPTION
+.Nm
+is the client for changing passwords.
+.Pp
+If administrator principal is given that principal is used to change
+the password.
+.Pp
+Multiple passwords for different users can be changed at the same time,
+then the administrator principal will be used.
+If the administrator isn't specified on the command prompt, the
+principal of the default credential cache will be used.
+.Pp
+If a credential cache is given, the
+.Fl Fl admin-principal
+flag is ignored and use the default name of the credential cache is
+used instead.
+.Sh DIAGNOSTICS
+If the password quality check fails or some other error occurs, an
+explanation is printed.
+.Sh SEE ALSO
+.Xr kpasswdd 8
diff --git a/third_party/heimdal/kpasswd/kpasswd.c b/third_party/heimdal/kpasswd/kpasswd.c
new file mode 100644
index 0000000..af5012f
--- /dev/null
+++ b/third_party/heimdal/kpasswd/kpasswd.c
@@ -0,0 +1,249 @@
+/*
+ * Copyright (c) 1997-2004 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors
+ * may be used to endorse or promote products derived from this software
+ * without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "kpasswd_locl.h"
+RCSID("$Id$");
+
+static int version_flag;
+static int help_flag;
+static char *admin_principal_str;
+static char *cred_cache_str;
+
+static struct getargs args[] = {
+ { "admin-principal", 0, arg_string, &admin_principal_str, NULL,
+ NULL },
+ { "cache", 'c', arg_string, &cred_cache_str, NULL, NULL },
+ { "version", 0, arg_flag, &version_flag, NULL, NULL },
+ { "help", 0, arg_flag, &help_flag, NULL, NULL }
+};
+
+static void
+usage (int ret, struct getargs *a, int num_args)
+{
+ arg_printusage (a, num_args, NULL, "[principal ...]");
+ exit (ret);
+}
+
+static int
+change_password(krb5_context context,
+ krb5_principal principal,
+ krb5_ccache id)
+{
+ krb5_data result_code_string, result_string;
+ int result_code;
+ krb5_error_code ret;
+ char pwbuf[BUFSIZ];
+ char *msg, *name;
+ int aret;
+
+ krb5_data_zero (&result_code_string);
+ krb5_data_zero (&result_string);
+
+ name = msg = NULL;
+ if (principal == NULL)
+ aret = asprintf(&msg, "New password: ");
+ else {
+ ret = krb5_unparse_name(context, principal, &name);
+ if (ret)
+ krb5_err(context, 1, ret, "krb5_unparse_name");
+
+ aret = asprintf(&msg, "New password for %s: ", name);
+ }
+
+ if (aret == -1 || msg == NULL)
+ krb5_errx (context, 1, "out of memory");
+
+ ret = UI_UTIL_read_pw_string (pwbuf, sizeof(pwbuf), msg,
+ UI_UTIL_FLAG_VERIFY);
+ free(msg);
+ if (name)
+ free(name);
+ if (ret != 0) {
+ return 1;
+ }
+
+ ret = krb5_set_password_using_ccache (context, id, pwbuf,
+ principal,
+ &result_code,
+ &result_code_string,
+ &result_string);
+ if (ret) {
+ krb5_warn (context, ret, "krb5_set_password_using_ccache");
+ return 1;
+ }
+
+ printf ("%s%s%.*s\n", krb5_passwd_result_to_string(context, result_code),
+ result_string.length > 0 ? " : " : "",
+ (int)result_string.length,
+ result_string.length > 0 ? (char *)result_string.data : "");
+
+ krb5_data_free (&result_code_string);
+ krb5_data_free (&result_string);
+
+ return ret != 0;
+}
+
+
+int
+main (int argc, char **argv)
+{
+ krb5_error_code ret;
+ krb5_context context;
+ krb5_principal principal;
+ krb5_get_init_creds_opt *opt;
+ krb5_ccache id = NULL;
+ int exit_value;
+ int optidx = 0;
+
+ setprogname(argv[0]);
+
+ if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optidx))
+ usage(1, args, sizeof(args) / sizeof(args[0]));
+ if (help_flag)
+ usage(0, args, sizeof(args) / sizeof(args[0]));
+ if (version_flag) {
+ print_version(NULL);
+ return 0;
+ }
+ argc -= optidx;
+ argv += optidx;
+
+ ret = krb5_init_context (&context);
+ if (ret)
+ errx (1, "krb5_init_context failed: %d", ret);
+
+ ret = krb5_get_init_creds_opt_alloc (context, &opt);
+ if (ret)
+ krb5_err(context, 1, ret, "krb5_get_init_creds_opt_alloc");
+
+ krb5_get_init_creds_opt_set_tkt_life (opt, 300);
+ krb5_get_init_creds_opt_set_forwardable (opt, FALSE);
+ krb5_get_init_creds_opt_set_proxiable (opt, FALSE);
+
+ if (cred_cache_str) {
+ ret = krb5_cc_resolve(context, cred_cache_str, &id);
+ if (ret)
+ krb5_err (context, 1, ret, "krb5_cc_resolve");
+ } else {
+ ret = krb5_cc_new_unique(context, krb5_cc_type_memory, NULL, &id);
+ if (ret)
+ krb5_err (context, 1, ret, "krb5_cc_new_unique");
+ }
+
+ if (cred_cache_str == NULL) {
+ krb5_principal admin_principal = NULL;
+ krb5_creds cred;
+
+ if (admin_principal_str) {
+ ret = krb5_parse_name (context, admin_principal_str,
+ &admin_principal);
+ if (ret)
+ krb5_err (context, 1, ret, "krb5_parse_name");
+ } else if (argc == 1) {
+ ret = krb5_parse_name (context, argv[0], &admin_principal);
+ if (ret)
+ krb5_err (context, 1, ret, "krb5_parse_name");
+ } else {
+ ret = krb5_get_default_principal (context, &admin_principal);
+ if (ret)
+ krb5_err (context, 1, ret, "krb5_get_default_principal");
+ }
+
+ ret = krb5_get_init_creds_password (context,
+ &cred,
+ admin_principal,
+ NULL,
+ krb5_prompter_posix,
+ NULL,
+ 0,
+ "kadmin/changepw",
+ opt);
+ switch (ret) {
+ case 0:
+ break;
+ case KRB5_LIBOS_PWDINTR :
+ return 1;
+ case KRB5KRB_AP_ERR_BAD_INTEGRITY :
+ case KRB5KRB_AP_ERR_MODIFIED :
+ krb5_errx(context, 1, "Password incorrect");
+ break;
+ default:
+ krb5_err(context, 1, ret, "krb5_get_init_creds");
+ }
+
+ krb5_get_init_creds_opt_free(context, opt);
+
+ ret = krb5_cc_initialize(context, id, admin_principal);
+ krb5_free_principal(context, admin_principal);
+ if (ret)
+ krb5_err(context, 1, ret, "krb5_cc_initialize");
+
+ ret = krb5_cc_store_cred(context, id, &cred);
+ if (ret)
+ krb5_err(context, 1, ret, "krb5_cc_store_cred");
+
+ krb5_free_cred_contents (context, &cred);
+ }
+
+ if (argc == 0) {
+ exit_value = change_password(context, NULL, id);
+ } else {
+ exit_value = 0;
+
+ while (argc-- > 0) {
+
+ ret = krb5_parse_name (context, argv[0], &principal);
+ if (ret)
+ krb5_err (context, 1, ret, "krb5_parse_name");
+
+ ret = change_password(context, principal, id);
+ if (ret)
+ exit_value = 1;
+ krb5_free_principal(context, principal);
+ argv++;
+ }
+ }
+
+ if (cred_cache_str == NULL) {
+ ret = krb5_cc_destroy(context, id);
+ if (ret)
+ krb5_err (context, 1, ret, "krb5_cc_destroy");
+ } else {
+ ret = krb5_cc_close(context, id);
+ if (ret)
+ krb5_err (context, 1, ret, "krb5_cc_close");
+ }
+
+ krb5_free_context (context);
+ return exit_value;
+}
diff --git a/third_party/heimdal/kpasswd/kpasswd_locl.h b/third_party/heimdal/kpasswd/kpasswd_locl.h
new file mode 100644
index 0000000..3be2096
--- /dev/null
+++ b/third_party/heimdal/kpasswd/kpasswd_locl.h
@@ -0,0 +1,105 @@
+/*
+ * Copyright (c) 1997 - 2001 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors
+ * may be used to endorse or promote products derived from this software
+ * without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/* $Id$ */
+
+#ifndef __KPASSWD_LOCL_H__
+#define __KPASSWD_LOCL_H__
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include <roken.h>
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#ifdef HAVE_SYS_TYPES_H
+#include <sys/types.h>
+#endif
+#ifdef HAVE_FCNTL_H
+#include <fcntl.h>
+#endif
+#ifdef HAVE_SYS_UIO_H
+#include <sys/uio.h>
+#endif
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+#ifdef HAVE_PWD_H
+#include <pwd.h>
+#endif
+#ifdef HAVE_SYS_TIME_H
+#include <sys/time.h>
+#endif
+#ifdef HAVE_SYS_SELECT_H
+#include <sys/select.h>
+#endif
+#ifdef HAVE_SYS_SOCKET_H
+#include <sys/socket.h>
+#endif
+#ifdef HAVE_NETINET_IN_H
+#include <netinet/in.h>
+#endif
+#ifdef HAVE_NETINET_IN6_H
+#include <netinet/in6.h>
+#endif
+#ifdef HAVE_NETINET6_IN6_H
+#include <netinet6/in6.h>
+#endif
+
+#ifdef HAVE_ARPA_INET_H
+#include <arpa/inet.h>
+#endif
+#ifdef HAVE_NETDB_H
+#include <netdb.h>
+#endif
+#ifdef HAVE_ERRNO_H
+#include <errno.h>
+#endif
+#ifdef HAVE_DLFCN_H
+#include <dlfcn.h>
+#endif
+#ifdef HAVE_UTIL_H
+#include <util.h>
+#endif
+#ifdef HAVE_LIBUTIL_H
+#include <libutil.h>
+#endif
+#include <err.h>
+#include <getarg.h>
+#include <krb5.h>
+#include "crypto-headers.h" /* for des_read_pw_string */
+
+#endif /* __KPASSWD_LOCL_H__ */
diff --git a/third_party/heimdal/kpasswd/kpasswdd.8 b/third_party/heimdal/kpasswd/kpasswdd.8
new file mode 100644
index 0000000..d68aca2
--- /dev/null
+++ b/third_party/heimdal/kpasswd/kpasswdd.8
@@ -0,0 +1,110 @@
+.\" Copyright (c) 1997, 2000 - 2005 Kungliga Tekniska Högskolan
+.\" (Royal Institute of Technology, Stockholm, Sweden).
+.\" All rights reserved.
+.\"
+.\" Redistribution and use in source and binary forms, with or without
+.\" modification, are permitted provided that the following conditions
+.\" are met:
+.\"
+.\" 1. Redistributions of source code must retain the above copyright
+.\" notice, this list of conditions and the following disclaimer.
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright
+.\" notice, this list of conditions and the following disclaimer in the
+.\" documentation and/or other materials provided with the distribution.
+.\"
+.\" 3. Neither the name of the Institute nor the names of its contributors
+.\" may be used to endorse or promote products derived from this software
+.\" without specific prior written permission.
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+.\" SUCH DAMAGE.
+.\"
+.Dd April 19, 1999
+.Dt KPASSWDD 8
+.Os HEIMDAL
+.Sh NAME
+.Nm kpasswdd
+.Nd Kerberos 5 password changing server
+.Sh SYNOPSIS
+.Nm
+.Bk -words
+.Op Fl Fl addresses= Ns Ar address
+.Op Fl Fl check-library= Ns Ar library
+.Op Fl Fl check-function= Ns Ar function
+.Oo Fl k Ar kspec \*(Ba Xo
+.Fl Fl keytab= Ns Ar kspec
+.Xc
+.Oc
+.Oo Fl r Ar realm \*(Ba Xo
+.Fl Fl realm= Ns Ar realm
+.Xc
+.Oc
+.Oo Fl p Ar string \*(Ba Xo
+.Fl Fl port= Ns Ar string
+.Xc
+.Oc
+.Op Fl Fl version
+.Op Fl Fl help
+.Ek
+.Sh DESCRIPTION
+.Nm
+serves request for password changes. It listens on UDP port 464
+(service kpasswd) and processes requests when they arrive. It changes
+the database directly and should thus only run on the master KDC.
+.Pp
+Supported options:
+.Bl -tag -width Ds
+.It Fl Fl addresses= Ns Ar address
+For each till the argument is given, add the address to what kpasswdd
+should listen too.
+.It Fl Fl check-library= Ns Ar library
+If your system has support for dynamic loading of shared libraries,
+you can use an external function to check password quality. This
+option specifies which library to load.
+.It Fl Fl check-function= Ns Ar function
+This is the function to call in the loaded library. The function
+should look like this:
+.Pp
+.Ft const char *
+.Fn passwd_check "krb5_context context" "krb5_principal principal" "krb5_data *password"
+.Pp
+.Fa context
+is an initialized context;
+.Fa principal
+is the one who tries to change passwords, and
+.Fa password
+is the new password. Note that the password (in
+.Fa password->data )
+is not zero terminated.
+.It Fl k Ar kspec , Fl Fl keytab= Ns Ar kspec
+Keytab to get authentication key from.
+.It Fl r Ar realm , Fl Fl realm= Ns Ar realm
+Default realm.
+.It Fl p Ar string , Fl Fl port= Ns Ar string
+Port to listen on (default service kpasswd - 464).
+.El
+.Sh DIAGNOSTICS
+If an error occurs, the error message is returned to the user and/or
+logged to syslog.
+.Sh BUGS
+The default password quality checks are too basic.
+.Sh SEE ALSO
+.Xr kpasswd 1 ,
+.Xr kdc 8
+.\".Sh ENVIRONMENT
+.\".Sh FILES
+.\".Sh EXAMPLES
+.\".Sh SEE ALSO
+.\".Sh STANDARDS
+.\".Sh HISTORY
+.\".Sh AUTHORS
diff --git a/third_party/heimdal/kpasswd/kpasswdd.c b/third_party/heimdal/kpasswd/kpasswdd.c
new file mode 100644
index 0000000..43a7335
--- /dev/null
+++ b/third_party/heimdal/kpasswd/kpasswdd.c
@@ -0,0 +1,914 @@
+/*
+ * Copyright (c) 1997-2005 Kungliga Tekniska Högskolan
+ * (Royal Institute of Technology, Stockholm, Sweden).
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * 3. Neither the name of the Institute nor the names of its contributors
+ * may be used to endorse or promote products derived from this software
+ * without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include "kpasswd_locl.h"
+RCSID("$Id$");
+
+#include <kadm5/admin.h>
+#ifdef HAVE_SYS_UN_H
+#include <sys/un.h>
+#endif
+#include <hdb.h>
+#include <kadm5/private.h>
+#include <kadm5/kadm5_err.h>
+
+static krb5_context context;
+static krb5_log_facility *log_facility;
+
+static struct getarg_strings addresses_str;
+krb5_addresses explicit_addresses;
+
+static sig_atomic_t exit_flag = 0;
+
+static void
+add_one_address (const char *str, int first)
+{
+ krb5_error_code ret;
+ krb5_addresses tmp;
+
+ ret = krb5_parse_address (context, str, &tmp);
+ if (ret)
+ krb5_err (context, 1, ret, "parse_address `%s'", str);
+ if (first)
+ krb5_copy_addresses(context, &tmp, &explicit_addresses);
+ else
+ krb5_append_addresses(context, &explicit_addresses, &tmp);
+ krb5_free_addresses (context, &tmp);
+}
+
+static void
+send_reply (int s,
+ struct sockaddr *sa,
+ int sa_size,
+ krb5_data *ap_rep,
+ krb5_data *rest)
+{
+ struct msghdr msghdr;
+ struct iovec iov[3];
+ uint16_t len, ap_rep_len;
+ u_char header[6];
+ u_char *p;
+
+ if (ap_rep)
+ ap_rep_len = ap_rep->length;
+ else
+ ap_rep_len = 0;
+
+ len = 6 + ap_rep_len + rest->length;
+ p = header;
+ *p++ = (len >> 8) & 0xFF;
+ *p++ = (len >> 0) & 0xFF;
+ *p++ = 0;
+ *p++ = 1;
+ *p++ = (ap_rep_len >> 8) & 0xFF;
+ *p++ = (ap_rep_len >> 0) & 0xFF;
+
+ memset (&msghdr, 0, sizeof(msghdr));
+ msghdr.msg_name = (void *)sa;
+ msghdr.msg_namelen = sa_size;
+ msghdr.msg_iov = iov;
+ msghdr.msg_iovlen = sizeof(iov)/sizeof(*iov);
+#if 0
+ msghdr.msg_control = NULL;
+ msghdr.msg_controllen = 0;
+#endif
+
+ iov[0].iov_base = (char *)header;
+ iov[0].iov_len = 6;
+ if (ap_rep_len) {
+ iov[1].iov_base = ap_rep->data;
+ iov[1].iov_len = ap_rep->length;
+ } else {
+ iov[1].iov_base = NULL;
+ iov[1].iov_len = 0;
+ }
+ iov[2].iov_base = rest->data;
+ iov[2].iov_len = rest->length;
+
+ if (sendmsg (s, &msghdr, 0) < 0)
+ krb5_warn (context, errno, "sendmsg");
+}
+
+static int
+make_result (krb5_data *data,
+ uint16_t result_code,
+ const char *expl)
+{
+ krb5_error_code ret;
+ krb5_storage *sp;
+
+ sp = krb5_storage_emem();
+ if (sp == NULL) goto out;
+ ret = krb5_store_uint16(sp, result_code);
+ if (ret) goto out;
+ ret = krb5_store_stringz(sp, expl);
+ if (ret) goto out;
+ ret = krb5_storage_to_data(sp, data);
+ if (ret) goto out;
+ krb5_storage_free(sp);
+
+ return 0;
+ out:
+ if (sp)
+ krb5_storage_free(sp);
+
+ krb5_warnx (context, "Out of memory generating error reply");
+ return 1;
+}
+
+static void
+reply_error (krb5_realm realm,
+ int s,
+ struct sockaddr *sa,
+ int sa_size,
+ krb5_error_code error_code,
+ uint16_t result_code,
+ const char *expl)
+{
+ krb5_error_code ret;
+ krb5_data error_data;
+ krb5_data e_data;
+ krb5_principal server = NULL;
+
+ if (make_result(&e_data, result_code, expl))
+ return;
+
+ if (realm) {
+ ret = krb5_make_principal (context, &server, realm,
+ "kadmin", "changepw", NULL);
+ if (ret) {
+ krb5_data_free (&e_data);
+ return;
+ }
+ }
+
+ ret = krb5_mk_error (context,
+ error_code,
+ NULL,
+ &e_data,
+ NULL,
+ server,
+ NULL,
+ NULL,
+ &error_data);
+ if (server)
+ krb5_free_principal(context, server);
+ krb5_data_free (&e_data);
+ if (ret) {
+ krb5_warn (context, ret, "Could not even generate error reply");
+ return;
+ }
+ send_reply (s, sa, sa_size, NULL, &error_data);
+ krb5_data_free (&error_data);
+}
+
+static void
+reply_priv (krb5_auth_context auth_context,
+ int s,
+ struct sockaddr *sa,
+ int sa_size,
+ uint16_t result_code,
+ const char *expl)
+{
+ krb5_error_code ret;
+ krb5_data krb_priv_data;
+ krb5_data ap_rep_data;
+ krb5_data e_data;
+
+ ret = krb5_mk_rep (context,
+ auth_context,
+ &ap_rep_data);
+ if (ret) {
+ krb5_warn (context, ret, "Could not even generate error reply");
+ return;
+ }
+
+ if (make_result(&e_data, result_code, expl))
+ return;
+
+ ret = krb5_mk_priv (context,
+ auth_context,
+ &e_data,
+ &krb_priv_data,
+ NULL);
+ krb5_data_free (&e_data);
+ if (ret) {
+ krb5_warn (context, ret, "Could not even generate error reply");
+ return;
+ }
+ send_reply (s, sa, sa_size, &ap_rep_data, &krb_priv_data);
+ krb5_data_free (&ap_rep_data);
+ krb5_data_free (&krb_priv_data);
+}
+
+/*
+ * Change the password for `principal', sending the reply back on `s'
+ * (`sa', `sa_size') to `pwd_data'.
+ */
+
+static void
+change (krb5_auth_context auth_context,
+ krb5_principal admin_principal,
+ uint16_t version,
+ int s,
+ struct sockaddr *sa,
+ int sa_size,
+ krb5_data *in_data)
+{
+ krb5_error_code ret;
+ char *client = NULL, *admin = NULL;
+ kadm5_config_params conf;
+ void *kadm5_handle = NULL;
+ krb5_principal principal = NULL;
+ krb5_data *pwd_data = NULL;
+ char *tmp;
+ ChangePasswdDataMS chpw;
+
+ memset (&conf, 0, sizeof(conf));
+ memset(&chpw, 0, sizeof(chpw));
+
+ if (version == KRB5_KPASSWD_VERS_CHANGEPW) {
+ ret = krb5_copy_data(context, in_data, &pwd_data);
+ if (ret) {
+ krb5_warn (context, ret, "krb5_copy_data");
+ reply_priv (auth_context, s, sa, sa_size, KRB5_KPASSWD_MALFORMED,
+ "out out memory copying password");
+ return;
+ }
+ principal = admin_principal;
+ } else if (version == KRB5_KPASSWD_VERS_SETPW) {
+ size_t len;
+
+ ret = decode_ChangePasswdDataMS(in_data->data, in_data->length,
+ &chpw, &len);
+ if (ret) {
+ krb5_warn (context, ret, "decode_ChangePasswdDataMS");
+ reply_priv (auth_context, s, sa, sa_size, KRB5_KPASSWD_MALFORMED,
+ "malformed ChangePasswdData");
+ return;
+ }
+
+
+ ret = krb5_copy_data(context, &chpw.newpasswd, &pwd_data);
+ if (ret) {
+ krb5_warn (context, ret, "krb5_copy_data");
+ reply_priv (auth_context, s, sa, sa_size, KRB5_KPASSWD_MALFORMED,
+ "out out memory copying password");
+ goto out;
+ }
+
+ if (chpw.targname == NULL && chpw.targrealm != NULL) {
+ krb5_warn (context, ret, "kadm5_init_with_password_ctx");
+ reply_priv (auth_context, s, sa, sa_size,
+ KRB5_KPASSWD_MALFORMED,
+ "targrealm but not targname");
+ goto out;
+ }
+
+ if (chpw.targname) {
+ krb5_principal_data princ;
+
+ memset(&princ, 0, sizeof (princ));
+ princ.name = *chpw.targname;
+ princ.realm = *chpw.targrealm;
+ if (princ.realm == NULL) {
+ ret = krb5_get_default_realm(context, &princ.realm);
+
+ if (ret) {
+ krb5_warnx (context,
+ "kadm5_init_with_password_ctx: "
+ "failed to allocate realm");
+ reply_priv (auth_context, s, sa, sa_size,
+ KRB5_KPASSWD_SOFTERROR,
+ "failed to allocate realm");
+ goto out;
+ }
+ }
+ ret = krb5_copy_principal(context, &princ, &principal);
+ if (*chpw.targrealm == NULL)
+ free(princ.realm);
+ if (ret) {
+ krb5_warn(context, ret, "krb5_copy_principal");
+ reply_priv(auth_context, s, sa, sa_size,
+ KRB5_KPASSWD_HARDERROR,
+ "failed to allocate principal");
+ goto out;
+ }
+ } else
+ principal = admin_principal;
+ } else {
+ krb5_warnx (context, "kadm5_init_with_password_ctx: unknown proto");
+ reply_priv (auth_context, s, sa, sa_size,
+ KRB5_KPASSWD_HARDERROR,
+ "Unknown protocol used");
+ return;
+ }
+
+ ret = krb5_unparse_name (context, admin_principal, &admin);
+ if (ret) {
+ krb5_warn (context, ret, "unparse_name failed");
+ reply_priv (auth_context, s, sa, sa_size,
+ KRB5_KPASSWD_HARDERROR, "out of memory error");
+ goto out;
+ }
+
+ conf.realm = principal->realm;
+ conf.mask |= KADM5_CONFIG_REALM;
+
+ ret = kadm5_init_with_password_ctx(context,
+ admin,
+ NULL,
+ KADM5_ADMIN_SERVICE,
+ &conf, 0, 0,
+ &kadm5_handle);
+ if (ret) {
+ krb5_warn (context, ret, "kadm5_init_with_password_ctx");
+ reply_priv (auth_context, s, sa, sa_size, 2,
+ "Internal error");
+ goto out;
+ }
+
+ ret = krb5_unparse_name(context, principal, &client);
+ if (ret) {
+ krb5_warn (context, ret, "unparse_name failed");
+ reply_priv (auth_context, s, sa, sa_size,
+ KRB5_KPASSWD_HARDERROR, "out of memory error");
+ goto out;
+ }
+
+ if (krb5_principal_compare(context, admin_principal, principal) == FALSE) {
+ ret = _kadm5_acl_check_permission(kadm5_handle, KADM5_PRIV_CPW,
+ principal);
+ if (ret) {
+ krb5_warn (context, ret,
+ "Check ACL failed for %s for changing %s password",
+ admin, client);
+ reply_priv (auth_context, s, sa, sa_size,
+ KRB5_KPASSWD_HARDERROR, "permission denied");
+ goto out;
+ }
+ krb5_warnx (context, "%s is changing password for %s", admin, client);
+ } else {
+ krb5_warnx (context, "Changing password for %s", client);
+ }
+
+ ret = krb5_data_realloc(pwd_data, pwd_data->length + 1);
+ if (ret) {
+ krb5_warn (context, ret, "malloc: out of memory");
+ reply_priv (auth_context, s, sa, sa_size, KRB5_KPASSWD_HARDERROR,
+ "Internal error");
+ goto out;
+ }
+ tmp = pwd_data->data;
+ tmp[pwd_data->length - 1] = '\0';
+
+ ret = kadm5_s_chpass_principal_cond (kadm5_handle, principal, 1, tmp);
+ krb5_free_data (context, pwd_data);
+ pwd_data = NULL;
+ if (ret) {
+ const char *str = krb5_get_error_message(context, ret);
+
+ switch (ret) {
+ case KADM5_PASS_Q_TOOSHORT:
+ case KADM5_PASS_Q_CLASS:
+ case KADM5_PASS_Q_DICT:
+ case KADM5_PASS_Q_GENERIC:
+ krb5_warnx(context,
+ "%s didn't pass password quality check with error: %s",
+ client, str);
+ break;
+ default:
+ krb5_warnx(context, "kadm5_s_chpass_principal_cond: %s", str);
+ }
+ reply_priv (auth_context, s, sa, sa_size, KRB5_KPASSWD_SOFTERROR,
+ str ? str : "Internal error");
+ krb5_free_error_message(context, str);
+ goto out;
+ }
+ reply_priv (auth_context, s, sa, sa_size, KRB5_KPASSWD_SUCCESS,
+ "Password changed");
+out:
+ free_ChangePasswdDataMS(&chpw);
+ if (principal != admin_principal)
+ krb5_free_principal(context, principal);
+ if (admin)
+ free(admin);
+ if (client)
+ free(client);
+ if (pwd_data)
+ krb5_free_data(context, pwd_data);
+ if (kadm5_handle)
+ kadm5_destroy (kadm5_handle);
+}
+
+static int
+verify (krb5_auth_context *auth_context,
+ krb5_keytab keytab,
+ krb5_ticket **ticket,
+ krb5_data *out_data,
+ uint16_t *version,
+ int s,
+ struct sockaddr *sa,
+ int sa_size,
+ u_char *msg,
+ size_t len,
+ krb5_address *client_addr)
+{
+ krb5_error_code ret;
+ uint16_t pkt_len, pkt_ver, ap_req_len;
+ krb5_data ap_req_data;
+ krb5_data krb_priv_data;
+ krb5_const_realm client_realm;
+ krb5_principal sprinc;
+ int same;
+
+ /*
+ * Only send an error reply if the request passes basic length
+ * verification. Otherwise, kpasswdd would reply to every UDP packet,
+ * allowing an attacker to set up a ping-pong DoS attack via a spoofed UDP
+ * packet with a source address of another UDP service that also replies
+ * to every packet.
+ *
+ * Also suppress the error reply if ap_req_len is 0, which indicates
+ * either an invalid request or an error packet. An error packet may be
+ * the result of a ping-pong attacker pointing us at another kpasswdd.
+ */
+ if (len < 6) {
+ krb5_warnx(context, "Message too short: %llu",
+ (unsigned long long)len);
+ return 1;
+ }
+ pkt_len = (msg[0] << 8) | (msg[1]);
+ pkt_ver = (msg[2] << 8) | (msg[3]);
+ ap_req_len = (msg[4] << 8) | (msg[5]);
+ if (pkt_len != len) {
+ krb5_warnx(context, "Bad packet length: %u != %llu", pkt_len,
+ (unsigned long long)len);
+ return 1;
+ }
+ if (ap_req_len == 0) {
+ krb5_warnx (context, "Request is error packet (ap_req_len == 0)");
+ return 1;
+ }
+ if (ap_req_len + 6 > len) {
+ krb5_warnx(context, "Bad AP-REQ length: %u", ap_req_len);
+ return 1;
+ }
+ if (pkt_ver != KRB5_KPASSWD_VERS_CHANGEPW &&
+ pkt_ver != KRB5_KPASSWD_VERS_SETPW) {
+ krb5_warnx (context, "Bad version (%d)", pkt_ver);
+ reply_error (NULL, s, sa, sa_size, 0, 1, "Wrong program version");
+ return 1;
+ }
+ *version = pkt_ver;
+
+ ap_req_data.data = msg + 6;
+ ap_req_data.length = ap_req_len;
+
+ ret = krb5_rd_req (context,
+ auth_context,
+ &ap_req_data,
+ NULL,
+ keytab,
+ NULL,
+ ticket);
+ if (ret) {
+ krb5_warn (context, ret, "krb5_rd_req");
+ reply_error (NULL, s, sa, sa_size, ret, 3, "Authentication failed");
+ return 1;
+ }
+
+ if (!(*ticket)->ticket.flags.initial) {
+ krb5_warnx(context, "initial flag not set");
+ reply_error((*ticket)->server->realm, s, sa, sa_size, ret, 1,
+ "Bad request");
+ goto out;
+ }
+
+ /*
+ * The service principal must be kadmin/changepw@CLIENT-REALM, there
+ * is no reason to require the KDC's default realm(s) to be the same
+ * as the realm(s) it serves. The only potential issue is when a KDC
+ * is a master for realm A and a slave for realm B, in which case it
+ * should not accept requests to change passwords for realm B, these
+ * should be sent to realm B's master. This same issue is present in
+ * the checks that only accepted local realms, there is no new risk.
+ */
+
+ client_realm = krb5_principal_get_realm(context, (*ticket)->client);
+ ret = krb5_make_principal(context, &sprinc, client_realm,
+ "kadmin", "changepw", NULL);
+ if (ret)
+ goto out;
+ same = krb5_principal_compare(context, sprinc, (*ticket)->server);
+ krb5_free_principal(context, sprinc);
+
+ if (!same) {
+ char *sname;
+
+ if (krb5_unparse_name(context, (*ticket)->server, &sname) != 0)
+ sname = NULL;
+ krb5_warnx(context, "Invalid kpasswd service principal %s",
+ sname ? sname : "<enomem>");
+ free(sname);
+ reply_error(NULL, s, sa, sa_size, ret, 1, "Bad request");
+ goto out;
+ }
+ krb_priv_data.data = msg + 6 + ap_req_len;
+ krb_priv_data.length = len - 6 - ap_req_len;
+
+ /*
+ * Only enforce client addresses on on tickets with addresses. If
+ * its addressless, we are guessing its behind NAT and really
+ * can't know this information.
+ */
+
+ if ((*ticket)->ticket.caddr && (*ticket)->ticket.caddr->len > 0) {
+ ret = krb5_auth_con_setaddrs (context, *auth_context,
+ NULL, client_addr);
+ if (ret) {
+ krb5_warn (context, ret, "krb5_auth_con_setaddr(this)");
+ goto out;
+ }
+ }
+
+ ret = krb5_rd_priv (context,
+ *auth_context,
+ &krb_priv_data,
+ out_data,
+ NULL);
+
+ if (ret) {
+ krb5_warn (context, ret, "krb5_rd_priv");
+ reply_error ((*ticket)->server->realm, s, sa, sa_size, ret, 3,
+ "Bad request");
+ goto out;
+ }
+ return 0;
+out:
+ krb5_free_ticket (context, *ticket);
+ ticket = NULL;
+ return 1;
+}
+
+static void
+process (krb5_keytab keytab,
+ int s,
+ krb5_address *this_addr,
+ struct sockaddr *sa,
+ int sa_size,
+ u_char *msg,
+ int len)
+{
+ krb5_error_code ret;
+ krb5_auth_context auth_context = NULL;
+ krb5_data out_data;
+ krb5_ticket *ticket;
+ krb5_address other_addr;
+ uint16_t version;
+
+ memset(&other_addr, 0, sizeof(other_addr));
+ krb5_data_zero (&out_data);
+
+ ret = krb5_auth_con_init (context, &auth_context);
+ if (ret) {
+ krb5_warn (context, ret, "krb5_auth_con_init");
+ return;
+ }
+
+ krb5_auth_con_setflags (context, auth_context,
+ KRB5_AUTH_CONTEXT_DO_SEQUENCE);
+
+ ret = krb5_sockaddr2address (context, sa, &other_addr);
+ if (ret) {
+ krb5_warn (context, ret, "krb5_sockaddr2address");
+ goto out;
+ }
+
+ ret = krb5_auth_con_setaddrs (context, auth_context, this_addr, NULL);
+ if (ret) {
+ krb5_warn (context, ret, "krb5_auth_con_setaddr(this)");
+ goto out;
+ }
+
+ if (verify (&auth_context, keytab, &ticket, &out_data,
+ &version, s, sa, sa_size, msg, len, &other_addr) == 0)
+ {
+ /*
+ * We always set the client_addr, to assume that the client
+ * can ignore it if it choose to do so (just the server does
+ * so for addressless tickets).
+ */
+ ret = krb5_auth_con_setaddrs (context, auth_context,
+ this_addr, &other_addr);
+ if (ret) {
+ krb5_warn (context, ret, "krb5_auth_con_setaddr(other)");
+ goto out;
+ }
+
+ change (auth_context,
+ ticket->client,
+ version,
+ s,
+ sa, sa_size,
+ &out_data);
+ memset (out_data.data, 0, out_data.length);
+ krb5_free_ticket (context, ticket);
+ }
+
+out:
+ krb5_free_address(context, &other_addr);
+ krb5_data_free(&out_data);
+ krb5_auth_con_free(context, auth_context);
+}
+
+static const char *check_library = NULL;
+static const char *check_function = NULL;
+static getarg_strings policy_libraries = { 0, NULL };
+static char sHDB[] = "HDBGET:";
+static char *keytab_str = sHDB;
+static char *realm_str;
+static int version_flag;
+static int help_flag;
+static int detach_from_console;
+static int daemon_child = -1;
+static char *port_str;
+static char *config_file;
+
+struct getargs args[] = {
+#ifdef HAVE_DLOPEN
+ { "check-library", 0, arg_string, &check_library,
+ "library to load password check function from", "library" },
+ { "check-function", 0, arg_string, &check_function,
+ "password check function to load", "function" },
+ { "policy-libraries", 0, arg_strings, &policy_libraries,
+ "password check function to load", "function" },
+#endif
+ { "addresses", 0, arg_strings, &addresses_str,
+ "addresses to listen on", "list of addresses" },
+ { "detach", 0, arg_flag, &detach_from_console,
+ "detach from console", NULL },
+ { "daemon-child", 0 , arg_integer, &daemon_child,
+ "private argument, do not use", NULL },
+ { "keytab", 'k', arg_string, &keytab_str,
+ "keytab to get authentication key from", "kspec" },
+ { "config-file", 'c', arg_string, &config_file, NULL, NULL },
+ { "realm", 'r', arg_string, &realm_str, "default realm", "realm" },
+ { "port", 'p', arg_string, &port_str, "port", NULL },
+ { "version", 0, arg_flag, &version_flag, NULL, NULL },
+ { "help", 0, arg_flag, &help_flag, NULL, NULL }
+};
+int num_args = sizeof(args) / sizeof(args[0]);
+
+static int
+doit(krb5_keytab keytab, int port)
+{
+ krb5_error_code ret;
+ int *sockets;
+ int maxfd;
+ krb5_addresses addrs;
+ unsigned n, i;
+ fd_set real_fdset;
+ struct sockaddr_storage __ss;
+ struct sockaddr *sa = (struct sockaddr *)&__ss;
+
+ if (explicit_addresses.len) {
+ addrs = explicit_addresses;
+ } else {
+ ret = krb5_get_all_server_addrs(context, &addrs);
+ if (ret)
+ krb5_err(context, 1, ret, "krb5_get_all_server_addrs");
+ }
+ n = addrs.len;
+
+ sockets = malloc(n * sizeof(*sockets));
+ if (sockets == NULL)
+ krb5_errx(context, 1, "out of memory");
+ maxfd = -1;
+ FD_ZERO(&real_fdset);
+ for (i = 0; i < n; ++i) {
+ krb5_socklen_t sa_size = sizeof(__ss);
+
+ krb5_addr2sockaddr(context, &addrs.val[i], sa, &sa_size, port);
+
+ sockets[i] = socket(__ss.ss_family, SOCK_DGRAM, 0);
+ if (sockets[i] < 0)
+ krb5_err(context, 1, errno, "socket");
+ if (bind(sockets[i], sa, sa_size) < 0) {
+ char str[128];
+ size_t len;
+ int save_errno = errno;
+
+ ret = krb5_print_address(&addrs.val[i], str, sizeof(str), &len);
+ if (ret)
+ strlcpy(str, "unknown address", sizeof(str));
+ krb5_warn(context, save_errno, "bind(%s)", str);
+ continue;
+ }
+ maxfd = max(maxfd, sockets[i]);
+ if (maxfd >= FD_SETSIZE)
+ krb5_errx(context, 1, "fd too large");
+ FD_SET(sockets[i], &real_fdset);
+ }
+ if (maxfd == -1)
+ krb5_errx(context, 1, "No sockets!");
+
+ roken_detach_finish(NULL, daemon_child);
+
+ while (exit_flag == 0) {
+ krb5_ssize_t retx;
+ fd_set fdset = real_fdset;
+
+ retx = select(maxfd + 1, &fdset, NULL, NULL, NULL);
+ if (retx < 0) {
+ if (errno == EINTR)
+ continue;
+ else
+ krb5_err(context, 1, errno, "select");
+ }
+ for (i = 0; i < n; ++i)
+ if (FD_ISSET(sockets[i], &fdset)) {
+ u_char buf[BUFSIZ];
+ socklen_t addrlen = sizeof(__ss);
+
+ retx = recvfrom(sockets[i], buf, sizeof(buf), 0,
+ sa, &addrlen);
+ if (retx < 0) {
+ if (errno == EINTR)
+ break;
+ else
+ krb5_err(context, 1, errno, "recvfrom");
+ }
+
+ process(keytab, sockets[i],
+ &addrs.val[i],
+ sa, addrlen,
+ buf, retx);
+ }
+ }
+
+ for (i = 0; i < n; ++i)
+ close(sockets[i]);
+ free(sockets);
+
+ krb5_free_addresses(context, &addrs);
+ krb5_kt_close(context, keytab);
+ krb5_free_context(context);
+ return 0;
+}
+
+static RETSIGTYPE
+sigterm(int sig)
+{
+ exit_flag = 1;
+}
+
+int
+main(int argc, char **argv)
+{
+ krb5_keytab keytab;
+ krb5_error_code ret;
+ char **files;
+ int port, i;
+ int aret;
+
+ krb5_program_setup(&context, argc, argv, args, num_args, NULL);
+
+ if (help_flag)
+ krb5_std_usage(0, args, num_args);
+
+ if (version_flag) {
+ print_version(NULL);
+ exit(0);
+ }
+
+ if (detach_from_console > 0 && daemon_child == -1)
+ daemon_child = roken_detach_prep(argc, argv, "--daemon-child");
+
+ if (config_file == NULL) {
+ aret = asprintf(&config_file, "%s/kdc.conf", hdb_db_dir(context));
+ if (aret == -1)
+ errx(1, "out of memory");
+ }
+
+ ret = krb5_prepend_config_files_default(config_file, &files);
+ if (ret)
+ krb5_err(context, 1, ret, "getting configuration files");
+
+ ret = krb5_set_config_files(context, files);
+ krb5_free_config_files(files);
+ if (ret)
+ krb5_err(context, 1, ret, "reading configuration files");
+
+ if (realm_str)
+ krb5_set_default_realm(context, realm_str);
+
+ krb5_openlog(context, "kpasswdd", &log_facility);
+ krb5_set_warn_dest(context, log_facility);
+
+ if (port_str != NULL) {
+ struct servent *s = roken_getservbyname(port_str, "udp");
+
+ if (s != NULL)
+ port = s->s_port;
+ else {
+ char *ptr;
+
+ port = strtol(port_str, &ptr, 10);
+ if (port == 0 && ptr == port_str)
+ krb5_errx(context, 1, "bad port `%s'", port_str);
+ port = htons(port);
+ }
+ } else
+ port = krb5_getportbyname(context, "kpasswd", "udp", KPASSWD_PORT);
+
+ ret = krb5_kt_register(context, &hdb_get_kt_ops);
+ if (ret)
+ krb5_err(context, 1, ret, "krb5_kt_register");
+
+ ret = krb5_kt_resolve(context, keytab_str, &keytab);
+ if (ret)
+ krb5_err(context, 1, ret, "%s", keytab_str);
+
+ kadm5_setup_passwd_quality_check(context, check_library, check_function);
+
+ for (i = 0; i < policy_libraries.num_strings; i++) {
+ ret = kadm5_add_passwd_quality_verifier(context,
+ policy_libraries.strings[i]);
+ if (ret)
+ krb5_err(context, 1, ret, "kadm5_add_passwd_quality_verifier");
+ }
+ ret = kadm5_add_passwd_quality_verifier(context, NULL);
+ if (ret)
+ krb5_err(context, 1, ret, "kadm5_add_passwd_quality_verifier");
+
+
+ explicit_addresses.len = 0;
+
+ if (addresses_str.num_strings) {
+ int j;
+
+ for (j = 0; j < addresses_str.num_strings; ++j)
+ add_one_address(addresses_str.strings[j], j == 0);
+ free_getarg_strings(&addresses_str);
+ } else {
+ char **foo = krb5_config_get_strings(context, NULL,
+ "kdc", "addresses", NULL);
+
+ if (foo != NULL) {
+ add_one_address(*foo++, TRUE);
+ while (*foo)
+ add_one_address(*foo++, FALSE);
+ }
+ }
+
+#ifdef HAVE_SIGACTION
+ {
+ struct sigaction sa;
+
+ sa.sa_flags = 0;
+ sa.sa_handler = sigterm;
+ sigemptyset(&sa.sa_mask);
+
+ sigaction(SIGINT, &sa, NULL);
+ sigaction(SIGTERM, &sa, NULL);
+ }
+#else
+ signal(SIGINT, sigterm);
+ signal(SIGTERM, sigterm);
+#endif
+
+ rk_pidfile(NULL);
+
+ return doit(keytab, port);
+}
generated by cgit v1.2.3 (git 2.39.1) at 2024-06-09 17:06:36 +0000