d/freebsd-dev
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Put OPIE to rest.

Browse Source 
Differential Revision: https://reviews.freebsd.org/D36592
This commit is contained in:
Dag-Erling Smørgrav 2022-10-02 03:37:29 +02:00
parent a82308abab
commit 0aa2700123
120 changed files with 39 additions and 25502 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
Makefile.inc1
View File

@ -2953,7 +2953,7 @@ _prebuild_libs= ${_kerberos5_lib_libasn1} \
lib/ncurses/tinfo \
lib/ncurses/ncurses \
lib/ncurses/form \
lib/libopie lib/libpam/libpam lib/libthr \
lib/libpam/libpam lib/libthr \
${_lib_libradius} lib/libsbuf lib/libtacplus \
lib/libgeom \
${_cddl_lib_libumem} ${_cddl_lib_libnvpair} \
@ -3026,7 +3026,7 @@ _generic_libs+= ${_DIR}
.endif
.endfor
lib/libopie__L lib/libtacplus__L: lib/libmd__L
lib/libtacplus__L: lib/libmd__L
.if ${MK_CDDL} != "no"
_cddl_lib_libumem= cddl/lib/libumem

30
ObsoleteFiles.inc
View File

@ -52,6 +52,36 @@
# xargs -n1 | sort | uniq -d;
# done
# 20221001: deorbit opie
OLD_FILES+=etc/opieaccess
OLD_FILES+=etc/opiekeys
OLD_FILES+=usr/bin/opieinfo
OLD_FILES+=usr/bin/opiekey
OLD_FILES+=usr/bin/opiepasswd
OLD_FILES+=usr/bin/otp-md4
OLD_FILES+=usr/bin/otp-md5
OLD_FILES+=usr/bin/otp-sha1
OLD_FILES+=usr/lib/libopie.a
OLD_FILES+=usr/lib/libopie.so
OLD_LIBS+=usr/lib/libopie.so.8
OLD_FILES+=usr/lib/libopie_p.a
OLD_FILES+=usr/bin/opieinfo
OLD_FILES+=usr/lib/pam_opie.so
OLD_LIBS+=usr/lib/pam_opie.so.6
OLD_FILES+=usr/lib/pam_opieaccess.so
OLD_LIBS+=usr/lib/pam_opieaccess.so.6
OLD_FILES+=usr/share/man/man1/opieinfo.1.gz
OLD_FILES+=usr/share/man/man1/opiekey.1.gz
OLD_FILES+=usr/share/man/man1/opiepasswd.1.gz
OLD_FILES+=usr/share/man/man1/otp-md4.1.gz
OLD_FILES+=usr/share/man/man1/otp-md5.1.gz
OLD_FILES+=usr/share/man/man1/otp-sha1.1.gz
OLD_FILES+=usr/share/man/man4/opie.4.gz
OLD_FILES+=usr/share/man/man5/opieaccess.5.gz
OLD_FILES+=usr/share/man/man5/opiekeys.5.gz
OLD_FILES+=usr/share/man/man8/pam_opie.8.gz
OLD_FILES+=usr/share/man/man8/pam_opieaccess.8.gz
# 20220928: telnetd(8) removed
OLD_FILES+=etc/pam.d/telnetd
OLD_FILES+=usr/libexec/telnetd

85
contrib/opie/BUG-REPORT
View File

@ -1,85 +0,0 @@
OPIE Software Distribution, Release 2.4 Bug Reporting Form
======================================= ==================
Before submitting a bug report, please check the README file and make
sure that your "bug" is not a known problem.
Please make a copy of this file and then edit it with your favorite
text editor (NOT a word processor; the end result needs to be reasonable ASCII
text) to include the answers to the following questions:
1. Your name and electronic mail address, in case we need more information.
If you can provide multiple addresses, please do so in case we
are unable to reply to the first one.
2. Your exact operating system vendor, name, and version number. If available,
please provide the output of "uname -a" and/or the version of your C
runtime library. Please be more specific than "UNIX".
3. The exact hardware the system was installed upon.
4. Which compiler and C runtime you used and its version number.
For instance, some systems have been known to have the GNU libc
installed as well as its native one, or to have a "BSD
compatibility" environment.
5. What version of OPIE you are using (the output of opiepasswd -v) and,
if you used the Autoconf install, a copy of the config.h, config.log,
and Makefile that Autoconf created.
6. A clear description of what you did and what bug then appeared.
If your system has the script(1) command, please run a session
under that to demonstrate the bug. Window-system cut-and-paste
also works well. Sometimes, the exact output is critical to
finding the bug.
If you can provide any of the following things, it will greatly assist
us in fixing the problem and improve the chances that we'll get back to you:
7. A diagnosis of what is causing the problem.
8. A test case that can repeatably demonstrate the problem.
9. A fix for the problem.
Bug reports should be sent by Internet electronic mail to
<opie-bugs@inner.net>. This mail is run through an automated sorter that helps
get the bug report into the hands of someone who can help you. In order to
make that program work, we ask that you:
* Send this is normal RFC822 plain text or MIME text/plain.
* DO NOT send this or any other file as an "attachment" from
your mailer.
* DO NOT send a copy of your bug report to ANYONE other than
<opie-bugs@inner.net>. This includes listing more than one recipient
or sending it as a carbon-copy ("Cc:") to someone else.
* DO NOT send a copy of your bug report directly to the
authors or to any mailing lists. This really makes the
authors angry, and will be interpreted as a request to not
provide you with any help.
* DO NOT re-send bug reports because you didn't receive a
response. We attempt to respond to ALL properly submitted
bug reports. If we can't send mail back to you or you
didn't bother to follow the directions for submitting a
bug report, you won't receive a response.
While OPIE is NOT a supported program, we generally try to respond
to all properly submitted bug reports as soon as we can. If your bug report
is properly submitted so our machine sorter can process it, this usually
takes one working day. If our machine sorter can't process your bug report,
it usually takes a week or two.
Copyright
=========
%%% portions-copyright-cmetz-96
Portions of this software are Copyright 1996-1999 by Craig Metz, All Rights
Reserved. The Inner Net License Version 2 applies to these portions of
the software.
You should have received a copy of the license with this software. If
you didn't get a copy, you may request one from <license@inner.net>.

68
contrib/opie/COPYRIGHT.NRL
View File

@ -1,68 +0,0 @@
# @(#)COPYRIGHT 1.1 (NRL) 17 January 1995
COPYRIGHT NOTICE
All of the documentation and software included in this software
distribution from the US Naval Research Laboratory (NRL) are
copyrighted by their respective developers.
Portions of the software are derived from the Net/2 and 4.4 Berkeley
Software Distributions (BSD) of the University of California at
Berkeley and those portions are copyright by The Regents of the
University of California. All Rights Reserved. The UC Berkeley
Copyright and License agreement is binding on those portions of the
software. In all cases, the NRL developers have retained the original
UC Berkeley copyright and license notices in the respective files in
accordance with the UC Berkeley copyrights and license.
Portions of this software and documentation were developed at NRL by
various people. Those developers have each copyrighted the portions
that they developed at NRL and have assigned All Rights for those
portions to NRL. Outside the USA, NRL has copyright on some of the
software developed at NRL. The affected files all contain specific
copyright notices and those notices must be retained in any derived
work.
NRL LICENSE
NRL grants permission for redistribution and use in source and binary
forms, with or without modification, of the software and documentation
created at NRL provided that the following conditions are met:
1. All terms of the UC Berkeley copyright and license must be followed.
2. Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
3. Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
4. All advertising materials mentioning features or use of this software
must display the following acknowledgements:
This product includes software developed by the University of
California, Berkeley and its contributors.
This product includes software developed at the Information
Technology Division, US Naval Research Laboratory.
5. Neither the name of the NRL nor the names of its contributors
may be used to endorse or promote products derived from this software
without specific prior written permission.
THE SOFTWARE PROVIDED BY NRL IS PROVIDED BY NRL AND CONTRIBUTORS ``AS
IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL NRL OR
CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
The views and conclusions contained in the software and documentation
are those of the authors and should not be interpreted as representing
official policies, either expressed or implied, of the US Naval
Research Laboratory (NRL).
----------------------------------------------------------------------

178
contrib/opie/INSTALL
View File

@ -1,178 +0,0 @@
OPIE Software Distribution, Release 2.4 Installation Instructions
======================================= =========================
Did you read the README file?
If not, please go do so, then come back here. There is information in
the README file that you will probably need to know in order to build and use
OPIE, and you are better off doing it before you try to compile and install
it.
OPIE uses Autoconf to automagically figure out as much as possible
about your system. There are four steps to installing OPIE. Please read them
all first before attempting to do them.
1. Run the "configure" script.
Normally, you will need to type:
sh configure
If you would like to use an access file to allow users from some hosts
to log into your system without using OTPs (thus opening up a big security
hole, but a necessary evil for some sites), type:
sh configure --enable-access-file=/etc/opieaccess
If you'd like the file to go somewhere else, adjust this appropriately.
There are a number of configure-time options available for OPIE. You
probably don't want to change the defaults. To get a complete listing of the
currently available options, type:
sh configure --help
Some options that may be of interest are:
--enable-access-file=FILENAME: Enable the OPIE access file FILENAME
The OPIE access file provides a system administrator with the ability
to make the use of OTP optional for certain hosts. Note that individual
users can create a file named ".opiealways" in their home directory to
require that OTP be used to access to their account. Note also that the
access file is based on addresses, but many of the clients that use it
are only given hostnames. This opens this entire scheme up to DNS
spoofing attacks, which is a major security problem. ALWAYS use a
package such as tcp_wrappers configured to do paranoid checking on DNS
information if you enable this option (it's good practice anyway).
--enable-server-md4: Use MD4 instead of MD5 for the server
The old S/Key package used MD4 instead of MD5. MD4 is believed to be
less secure than MD5. Use this option only for compatibility with old
key files.
--disable-user-locking: Disable user locking
OPIE only allows one session at a time to attempt to authenticate a
principal; this prevents a possible race attack on OTP. This locking
mechanism can cause problems in some applications, in which case you
might want to disable the locking. This option also provides a work-
around if the locking code doesn't work reliably on your system.
--enable-user-locking[=DIR]: Put user lock files in DIR [/etc/opielocks]
The OPIE lock files need to be put in an isolated directory that is
only accessable by the super-user and has a parent directory that is
only writable by the super-user. If you are trying to use OPIE with
the key file shared by NFS, you need to make the lock directory
shared too. (But you read the README file, so you knew this)
--enable-retype: Ask users to re-type their secret pass phrases
On the one hand, this helps prevent users from having to go generate
an OTP, type it into a remote system, and then found out they
mistyped. On the other hand, it's annoying. If this is enabled, users
can simply hit return at the second prompt and the generator will skip
the retype check, which allows users who don't like the retype check
to mostly skip it.
--enable-su-star-check: Refuse to switch to disabled accounts
On many systems, an asterisk means one thing and one thing only: this
account is never meant for human users. Therefore, it doesn't make
much sense for anyone other than an attacker to try to su to that
account. Enabling this check causes su to refuse to switch to
accounts with an asterisk in their password field. While probably
better for security, this is not compatible with traditional *IX su
behavior, so it is disabled by default
--disable-new-prompts: Use more compatible (but less informative) prompts
OPIE uses login prompts that tell you exactly what kind of response
(an OTP response and/or a cleartext password) it expects you to give.
This can break automatic login scripts that look for 'Password:' as
the prompt for the password. If you have users that use such scripts,
you might want to disable the more informative responses so as not to
break those scripts.
--enable-insecure-override: Allow users to override insecure checks
While OPIE cannot determine whether or not a session is secure, it can
check for fairly common signs that it isn't secure. If it believes the
session is insecure, some programs like opiekey will refuse to run
because they prompt the user to send a secret pass phrase. Sometimes
these checks declare a session insecure when it is, and sometimes the
user wants to continue anyway even if the session is insecure. If this
option is enabled, many commands gain a '-f' option to force them to
operate even if OPIE thinks the session is insecure.
--enable-anonymous-ftp Enable anonymous FTP support
By default, the OPIE FTP daemon does not support anonymous FTP
service. The FTP daemon contains many security related bug fixes
relative to the original source, but bugs probably remain. It was not
intended to be used for anonymous FTP, where it is more open to the
commands of potentially hostile users. If you enable this option, it
will once again support anonymous FTP, but it probably isn't secure
when that way.
--disable-utmp Disable utmp logging
--disable-wtmp Disable wtmp logging
On some systems, logging to the utmp and/or wtmp files is just a lost
cause. If this is the case on your system, you might be better off
not having OPIE even try.
--enable-opieauto Enable support for opieauto
opieauto is a facility that caches an intermediate result of the OTP
generator so that a user-selected number of OTPs can be generated on
demand for each time the user types in the secret pass phrase. This
is great for user convenience, as typing a twenty or thirty character
secret pass phrase can be annoying. It can also be a minor security
hole (see the README for details).
2. Edit the Makefile
The Makefile contains some options that you may wish to modify. Also
verify that Autoconf chose the correct options for your system.
The Makefile created by Autoconf should be correct for most users
as-is.
3. Build OPIE
Normally, you will need to type:
make
If you only want to build the client programs, type:
make client
If you only want to build the server programs, type:
make server
4. Verify that OPIE works on your system and install
Normall, you will need to type:
make install
If you only want to install the client programs, type:
make client-install
If you only want to install the server programs, type:
make server-install
If you encounter any problems, you may be able to run "make uninstall"
to remove the OPIE software from your system and revert back to almost the
way things were before.
Copyright
=========
%%% portions-copyright-cmetz-96
Portions of this software are Copyright 1996-1999 by Craig Metz, All Rights
Reserved. The Inner Net License Version 2 applies to these portions of
the software.
You should have received a copy of the license with this software. If
you didn't get a copy, you may request one from <license@inner.net>.
Portions of this document are Copyright 1995 by Randall Atkinson and Dan
McDonald, All Rights Reserved. All Rights under this copyright are assigned
to the U.S. Naval Research Laboratory (NRL). The NRL Copyright Notice and
License Agreement applies to this software.

45
contrib/opie/License.TIN
View File

@ -1,45 +0,0 @@
The Inner Net License, Version 2
================================
The author(s) grant permission for redistribution and use in source and
binary forms, with or without modification, of the software and documentation
provided that the following conditions are met:
0. If you receive a version of the software that is specifically labelled
as not being for redistribution (check the version message and/or README),
you are not permitted to redistribute that version of the software in any
way or form.
1. All terms of the all other applicable copyrights and licenses must be
followed.
2. Redistributions of source code must retain the authors' copyright
notice(s), this list of conditions, and the following disclaimer.
3. Redistributions in binary form must reproduce the authors' copyright
notice(s), this list of conditions, and the following disclaimer in the
documentation and/or other materials provided with the distribution.
4. All advertising materials mentioning features or use of this software
must display the following acknowledgement with the name(s) of the
authors as specified in the copyright notice(s) substituted where
indicated:
This product includes software developed by <name(s)>, The Inner
Net, and other contributors.
5. Neither the name(s) of the author(s) nor the names of its contributors
may be used to endorse or promote products derived from this software
without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY ITS AUTHORS AND CONTRIBUTORS ``AS IS'' AND ANY
EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE LIABLE FOR ANY
DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Please distribute a copy of this license with the software and make it
reasonably easy for others to find.
If these license terms cause you a real problem, contact the author.

327
contrib/opie/Makefile.in
View File

@ -1,327 +0,0 @@
##
# Makefile.source and Makefile: Directions for building and installing OPIE.
#
# %%% portions-copyright-cmetz-96
# Portions of this software are Copyright 1996-1999 by Craig Metz, All Rights
# Reserved. The Inner Net License Version 2 applies to these portions of
# the software.
# You should have received a copy of the license with this software. If
# you didn't get a copy, you may request one from <license@inner.net>.
#
# Portions of this software are Copyright 1995 by Randall Atkinson and Dan
# McDonald, All Rights Reserved. All Rights under this copyright are assigned
# to the U.S. Naval Research Laboratory (NRL). The NRL Copyright Notice and
# License Agreement applies to this software.
#
# History:
#
# Modified by cmetz for OPIE 2.4. Add libmissing to include header path.
# Renamed realclean to distclean. Added opieauto rules. Made
# system program install more tolerant of non-existent files.
# Modified by cmetz for OPIE 2.31. Moved logwtmp.o into libopie.
# Modified by cmetz for OPIE 2.3. Removed manual config -- it's
# Autoconf or bust. Replaced user configuration options
# with options.h. Eliminated unused variables. Pass down
# $(DEBUG) instead of several other variables to the
# subdirs. Extended/standard key file support. Added
# dependencies on subdir files. Made opietest call silent.
# Removed opie-md4, opie-md5, and key aliases. Removed
# test target. Make uninstall remove man page aliases.
# Modified by cmetz for OPIE 2.22. Removed @LIBOBJS@ from MISSING for
# Autoconf target. Re-ordered LFLAGS because some ld's won't
# include libmissing properly if it's not at the end.
# Modified by cmetz for OPIE 2.21. Added getusershell.o to IRIX
# missing functions.
# Modified by cmetz for OPIE 2.2. Added NEW_PROMPTS definition.
# Added MISSING and new flags-passing for libmissing.
# Quote MISSING or lose. Update TEST target for FTPD
# variable. Removed line formatting for compile commands
# since macro expansion confuses the issue anyway.
# Added targets for opieserv. Added targets for opietest.
# Removed obselete options.h target. Swapped libmissing
# and libopie. Updated manual config options. Added more
# explanatory text. Fixed uses of old SYSV and BSD4_3
# symbols.
# Modified at NRL for OPIE 2.2: Renamed LDFLAGS setting to LIBS,
# renamed LDFLAGS in targets to LFLAGS. Added targets for
# libopie and libmissing directories. Got rid of PROTOTYPES.
# Added opiegen. Fixed RANLIB Autoconf target.
# Modified at NRL for OPIE 2.11: Fixed fatal mistype of Autoconf.
# Modified at NRL for OPIE 2.1: Changed targets to reflect source
# file name changes. Changed explanation and flags for static
# linking. Changed opieinfo target. Removed WHOAMI. Added
# Autoconf targets. Changed if conditionals to use test
# instead of [. Changed SU_DIR to SU to help autoconf.
# Changed FTPDIR and FTPDNAME to FTPD to help autoconf.
# Changed HP-UX to HP-UX9 and HP-UX10. Make uninstall
# target depend on config. HPUX *is* no longer necessary, but
# something does have to be there. Sub in Autoconf @CC@.
# Modified at NRL for OPIE 2.04: Re-worded explanation of SU_STAR_CHECK.
# Modified at NRL for OPIE 2.02: Added SU_STAR_CHECK flag.
# Modified at NRL for OPIE 2.01: Test target makes opiesu and opielogin
# setuid. install target clears that. uninstall target needs to
# remove the opiekey symlinks. opieinfo target needs to
# substitute for $(EXISTS). ifdefs target needs to check for
# starting hash. $(LFLAGS) and -o should be at the end of all
# link commands to spoon-feed drain bamaged link editors. Added
# A/UX defaults.
# Modified heavily at NRL for OPIE 2.0.
# Written at Bellcore for the S/Key Version 1 software distribution
# (Makefile).
#============================================================================
# CONFIGURATION PARAMETERS -- CHANGE THESE TO SUIT YOUR MACHINE
# Shell to use for make(1)
# It's usually a good idea to leave this as-is. On some systems, ksh or bash
# may be necessary
SHELL=/bin/sh
# OWNER is the username who should own the OPIE binaries.
# GROUP is the groupname associated with the OPIE binaries.
#
OWNER=0
GROUP=bin
# Where should the OPIE standard and extended databases be stored?
#
# Some sites might want to put this elsewhere. If you want to use an old
# S/Key database, you should create a link from /etc/skeykeys to /etc/opiekeys.
KEY_FILE=/etc/opiekeys
# Are we debugging?
#
# The first line will build a normal version of OPIE. You should use it.
#
# The second is for brave souls porting OPIE to a new system or trying to
# debug it and should definitely NOT be used to build a production copy
# of OPIE.
#
# The third is the above using nifty heap debugger called "Electric Fence".
DEBUG=-O
#DEBUG=-DDEBUG=1 -g
#DEBUG=-DDEBUG=1 -g -lefence
# These parameters are determined by Autoconf and are probably correct.
# If OPIE doesn't build or work right, try tweaking these.
CC=@CC@
YACC=@YACC@
FTPD=@FTPD@
LIBS=@LIBS@
OPTIONS=@DEFS@
EXISTS=@EXISTS@
MKDIR=@MKDIR@
CHOWN=@CHOWN@
LOCALBIN=@LOCALBIN@
LOCALMAN=@LOCALMAN@
SU=@SU@
ALT_SU=@ALT_SU@
LOGIN=@LOGIN@
LOCK_DIR=@LOCK_DIR@
OPIEAUTO=@OPIEAUTO@
BACKUP=opie.old
CFLAGS=$(DEBUG) -Ilibmissing
LFLAGS=-Llibopie -Llibmissing -lopie $(LIBS) -lmissing -lopie
LDEPS=libmissing/libmissing.a libopie/libopie.a
all: client server
ifdefs:
egrep '^#*if*def' *.c *.h | cut -f2 -d: | sort | uniq
client: libopie/libopie.a libmissing/libmissing.a opietest-passed opiekey opiegen $(OPIEAUTO)
client-install: client
@echo "Installing OPIE client software..."
@echo "Copying OPIE key-related files"
@if test ! -d $(LOCALBIN); then $(MKDIR) $(LOCALBIN); chmod 755 $(LOCALBIN); fi
@cp opiekey $(OPIEAUTO) $(LOCALBIN)
@$(CHOWN) $(OWNER) $(LOCALBIN)/opiekey
@if test ! -z "$(OPIEAUTO)"; then $(CHOWN) $(OWNER) $(LOCALBIN)/opieauto; fi
@chgrp $(GROUP) $(LOCALBIN)/opiekey
@echo "Changing file permissions"
@chmod 0511 $(LOCALBIN)/opiekey
@if test ! -z "$(OPIEAUTO)"; then chmod 0511 $(LOCALBIN)/opieauto; fi
@echo "Symlinking aliases to opiekey"
@-ln -s $(LOCALBIN)/opiekey $(LOCALBIN)/otp-md4
@-ln -s $(LOCALBIN)/opiekey $(LOCALBIN)/otp-md5
@echo "Installing manual pages"
@-for i in otp-md4 otp-md5; do ln -s opiekey.1 $(LOCALMAN)/man1/$$i.1; done
@if test ! -d $(LOCALMAN)/man1; then $(MKDIR) $(LOCALMAN)/man1; chmod 755 $(LOCALMAN)/man1; fi; cp opiekey.1 $(LOCALMAN)/man1/opiekey.1; $(CHOWN) $(OWNER) $(LOCALMAN)/man1/opiekey.1; chgrp $(GROUP) $(LOCALMAN)/man1/opiekey.1; chmod 644 $(LOCALMAN)/man1/opiekey.1
server: libopie/libopie.a libmissing/libmissing.a opietest-passed opielogin opiesu opiepasswd opieinfo opieftpd opieserv
server-install: server
@echo "Installing OPIE server software..."
@echo "Copying OPIE user programs"
@if test ! -d $(LOCALBIN); then $(MKDIR) $(LOCALBIN); chmod 755 $(LOCALBIN); fi
@cp opiepasswd opieinfo $(LOCALBIN)
@echo "Changing ownership"
@$(CHOWN) $(OWNER) $(LOCALBIN)/opiepasswd $(LOCALBIN)/opieinfo
@chgrp $(GROUP) $(LOCALBIN)/opiepasswd $(LOCALBIN)/opieinfo
@echo "Changing file permissions"
@chmod 0555 $(LOCALBIN)/opieinfo
@chmod 4511 $(LOCALBIN)/opiepasswd
@echo "Installing OPIE system programs..."
@if test ! -z $(LOGIN); \
then \
if test ! $(EXISTS) $(LOGIN).$(BACKUP); \
then \
echo "Renaming existing $(LOGIN) to $(LOGIN).$(BACKUP)"; \
mv $(LOGIN) $(LOGIN).$(BACKUP); \
echo "Clearing permissions on $(LOGIN)"; \
chmod 0 $(LOGIN).$(BACKUP); \
fi; \
echo "Copying OPIE login to $(LOGIN)"; \
cp opielogin $(LOGIN); \
echo "Changing ownership of $(LOGIN)"; \
$(CHOWN) $(OWNER) $(LOGIN); \
chgrp $(GROUP) $(LOGIN); \
echo "Changing file permissions of $(LOGIN)"; \
chmod 4111 $(LOGIN); \
fi
@if test ! -z $(SU); \
then \
if test ! $(EXISTS) $(SU).$(BACKUP); \
then \
echo "Renaming existing $(SU) to $(SU).$(BACKUP)"; \
mv $(SU) $(SU).$(BACKUP); \
echo "Clearing permissions on $(SU)"; \
chmod 0 $(SU).$(BACKUP); \
fi; \
echo "Copying OPIE su to $(SU)"; \
cp opiesu $(SU); \
echo "Changing ownership of $(SU)"; \
$(CHOWN) $(OWNER) $(SU); \
chgrp $(GROUP) $(SU); \
echo "Changing file permissions of $(SU)"; \
chmod 4111 $(SU); \
fi
@if test ! -z $(ALT_SU); \
then \
if test ! $(EXISTS) $(ALT_SU).$(BACKUP); \
then \
echo "Renaming existing $(ALT_SU) to $(ALT_SU).$(BACKUP)"; \
mv $(ALT_SU) $(ALT_SU).$(BACKUP); \
echo "Clearing permissions on $(ALT_SU)"; \
chmod 0 $(ALT_SU).$(BACKUP); \
fi; \
echo "Copying OPIE su to $(ALT_SU)"; \
cp opiesu $(ALT_SU); \
echo "Changing ownership of $(ALT_SU)"; \
$(CHOWN) $(OWNER) $(ALT_SU); \
chgrp $(GROUP) $(ALT_SU); \
echo "Changing file permissions of $(ALT_SU)"; \
chmod 4111 $(ALT_SU); \
fi
@if test ! -z $(FTPD); \
then \
if test ! $(EXISTS) $(FTPD).$(BACKUP); \
then \
echo "Renaming existing $(FTPD) to $(FTPD).$(BACKUP)"; \
mv $(FTPD) $(FTPD).$(BACKUP); \
echo "Clearing permissions on $(FTPD).$(BACKUP)"; \
chmod 0 $(FTPD).$(BACKUP); \
fi; \
echo "Copying OPIE ftp daemon to $(FTPD)"; \
cp opieftpd $(FTPD); \
echo "Changing ownership of $(FTPD)"; \
$(CHOWN) $(OWNER) $(FTPD); \
chgrp $(GROUP) $(FTPD); \
echo "Changing file permissions of $(FTPD)"; \
chmod 0100 $(FTPD); \
fi
@echo "Making sure OPIE database file exists";
@touch $(KEY_FILE)
@echo "Changing permissions of OPIE database file"
@chmod 0644 $(KEY_FILE)
@echo "Changing ownership of OPIE database file"
@$(CHOWN) $(OWNER) $(KEY_FILE)
@chgrp $(GROUP) $(KEY_FILE)
@-if test ! -z "$(LOCK_DIR)"; then echo "Creating OPIE lock directory"; mkdir $(LOCK_DIR); $(CHOWN) 0 $(LOCK_DIR); chgrp 0 $(LOCK_DIR); chmod 0700 $(LOCK_DIR); fi;
@-if test ! -z "$(ACCESS_FILE)"; then echo "Creating OPIE access file (don't say we didn't warn you)"; touch $(ACCESS_FILE); $(CHOWN) 0 $(ACCESS_FILE); chgrp 0 $(ACCESS_FILE); chmod 0444 $(ACCESS_FILE); fi;
@echo "Installing manual pages"
@if test ! -d $(LOCALMAN); then $(MKDIR) $(LOCALMAN); chmod 755 $(LOCALMAN); fi
@for i in 1 4 5 8; do for j in *.$$i; do if test ! -d $(LOCALMAN)/man$$i; then $(MKDIR) $(LOCALMAN)/man$$i; chmod 755 $(LOCALMAN)/man$$i; fi; cp $$j $(LOCALMAN)/man$$i/$$j; $(CHOWN) $(OWNER) $(LOCALMAN)/man$$i/$$j; chgrp $(GROUP) $(LOCALMAN)/man$$i/$$j; chmod 644 $(LOCALMAN)/man$$i/$$j; done; done
@echo "REMEMBER to run opiepasswd on your users immediately."
install: client-install server-install
uninstall:
@echo "Un-installing OPIE..."
@echo "Removing symlinks"
@-for i in otp-md4 otp-md5; do rm $(LOCALBIN)/$$i; done
@echo "Removing OPIE programs"
@-for i in opiekey opiepasswd opieinfo; do rm $(LOCALBIN)/$$i; done
@echo "Removing OPIE manual pages"
@-for i in 1 4 5 8; do for j in *.$$i; do rm $(LOCALMAN)/man$$i/$$j; done; done
@-rm $(LOCALMAN)/man1/otp-md4.1 $(LOCALMAN)/man1/otp-md5.1
@echo "Restoring old binaries"
@-for i in $(SU) $(ALT_SU) $(LOGIN) $(FTPD); do FILE=`basename $$i`; if test ! $(EXISTS) $$i.$(BACKUP); then echo "No $$i.$(BACKUP)! Aborting."; exit 1; else echo "Removing $$FILE"; rm $$i || true; echo "Restoring old $$FILE"; mv $$i.$(BACKUP) $$i; fi; done
@echo "Resetting permissions"
@chmod 4111 $(SU) $(LOGIN)
@chmod 0100 $(FTPD)
@if test ! -z "$(ALT_SU)"; then chmod 4111 $(ALT_SU); fi
@echo "OPIE is now un-installed."
@echo "Please verify by hand that this process worked."
opietest-passed: opietest
-./opietest && touch opietest-passed
libopie/libopie.a: libopie/*.c *.h
(cd libopie ; $(MAKE) libopie.a CFL='$(CFLAGS) -DKEY_FILE=\"$(KEY_FILE)\"')
libmissing/libmissing.a: libmissing/*.c
(cd libmissing ; $(MAKE) libmissing.a CFL='$(CFLAGS)')
clean:
-rm -f *.o opiekey opiegen opielogin opiepasswd opiesu opieftpd
-rm -f opieserv opieinfo opietest opieauto *core* opietest-passed
-rm -f Makefile.munge configure.munger y.tab.c .gdb*
(cd libopie ; $(MAKE) clean)
(cd libmissing ; $(MAKE) clean)
realclean: distclean
distclean: clean
-rm -f *~ core* "\#*\#" Makefile make.log
-rm -f config.log config.status config.cache config.h
(cd libopie ; $(MAKE) distclean)
(cd libmissing ; $(MAKE) distclean)
opiekey: opiekey.o $(LDEPS)
$(CC) $(CFLAGS) opiekey.o $(LFLAGS) -o opiekey
opiegen: opiegen.o $(LDEPS)
$(CC) $(CFLAGS) opiegen.o $(LFLAGS) -o opiegen
opieserv: opieserv.o $(LDEPS)
$(CC) $(CFLAGS) opieserv.o $(LFLAGS) -o opieserv
opieftpd: opieftpd.o glob.o popen.o y.tab.o $(LDEPS)
$(CC) $(CFLAGS) opieftpd.o glob.o popen.o y.tab.o $(LFLAGS) -o opieftpd
opielogin: opielogin.o permsfile.o $(LDEPS)
$(CC) $(CFLAGS) opielogin.o permsfile.o $(LFLAGS) -o opielogin
opiepasswd: opiepasswd.o $(LDEPS)
$(CC) $(CFLAGS) opiepasswd.o $(LFLAGS) -o opiepasswd
opiesu: opiesu.o $(LDEPS)
$(CC) $(CFLAGS) opiesu.o $(LFLAGS) -o opiesu
y.tab.c: ftpcmd.y
$(YACC) ftpcmd.y
opieinfo: opieinfo.o $(LDEPS)
$(CC) $(CFLAGS) opieinfo.o $(LFLAGS) -o opieinfo
opietest: opietest.o $(LDEPS)
$(CC) $(CFLAGS) opietest.o $(LFLAGS) -o opietest
opieauto: opieauto.o $(LDEPS)
$(CC) $(CFLAGS) opieauto.o $(LFLAGS) -o opieauto

508
contrib/opie/README
View File

@ -1,508 +0,0 @@
OPIE Software Distribution, Release 2.4 Important Information
======================================= =====================
Introduction
============
"One-time Passwords In Everything" (OPIE) is a freely distributable
software package originally developed at and for the US Naval Research
Laboratory (NRL). Recent versions are the result of a cooperative effort
between of NRL, several of the original NRL authors, The Inner Net, and many
other contributors from the Internet community.
OPIE is an implementation of the One-Time Password (OTP) System that
is being considered for the Internet standards-track. OPIE provides a one-time
password system. The system should be secure against the passive attacks
now commonplace on the Internet (see RFC 1704 for more details). The system
is vulnerable to active dictionary attacks, though these are not widespread
at present and can be detected through proper use of system audit
software.
OPIE is primarily written for UNIX-like operating systems, but
we are working to make applicable portions portable to other operating systems.
The OPIE software is derived in part from and is fully interoperable with the
Bell Communications Research (Bellcore) S/Key Release 1 software. Because
Bellcore claims "S/Key" as a trademark for their software, NRL was forced to
use a different name (we picked "OPIE") for this software distribution.
OPIE includes the following additions/modifications to the
original Bellcore S/Key(tm) Version 1 software:
* Just about three command installation (unpack the software, run the
configure script, and run make install). While we still recommend that you
follow instructions and test things by hand, the more adventurous can
install OPIE quickly.
* A modified BSD FTP daemon that does OTP.
* A version of su that uses OTP by default.
* MD5 support. MD5 is now the default algorithm, though MD4 is still supported
by changing a parameter in the Makefile. This change was made because MD5 is
widely believed to be cryptographically stronger than MD4 (see RFC 1321).
* A more portable version of MD4 has been substituted for the original MD4.
This should solve the endian problems that were in S/Key.
* Most of the system-dependencies have been moved to a new file "opie_cfg.h".
* Configuration options have been moved to the Makefile.
* Isolated system dependencies (e.g. BSDisms) with appropriate #ifdefs.
* Revised the opiekey(1) program to simultaneously support MD4 and MD5, with
the default algorithm being tunable using the MDX symbol in the Makefile.
* More operating systems are supported by recent versions of OPIE, but older
BSD systems that aren't close to being compliant with the POSIX standard are
no longer supported.
* Transition mechanisms are optional to prevent potential back doors.
* On systems using the /etc/opieaccess transition mechanism, users can choose
to require the use of OPIE to login to their accounts when it would
otherwise be optional.
* Bug fixes
* Cosmetic changes
* Prompts (optionally) identify specifically what kind of entry (system
password, secret pass phrase, or OTP response) is allowed.
* Changes to mostly conform with the draft Internet OTP standard.
A Glance at What's New
======================
2.4 TEST VERSION -- NOT FOR REDISTRIBUTION
Merged in opieauto, which is disabled by default.
Lots of documentation updates.
Portability and bug fixes.
2.32 January 1, 1998.
Indicate support for extended responses in challenges and check for such
indication before generating any extended responses.
Lots of portability and bug fixes.
2.31 March 20, 1997.
Removed active attack protection support due to patent problems.
Removed the supplemental key file; it did more harm than good.
Moved user locks to a separate directory.
Moved user-serviceable configuration options to the configure script.
Lots of portability and bug fixes.
2.3 September 22, 1996
Autoconf is now the only supported configuration method.
Lots of internal functions got re-written in ways that will make some
planned future changes easier.
OTP extended responses, such as automatic re-initialization.
Support for a supplemental key file that stores information that was not
in the original /etc/skeykeys file. This allows OPIE to store extra data needed
for things like the OTP re-initialization extended response without breaking
interoperability with other S/Key derived programs. This file is named
"/etc/opiekeys.ext" by default. Unlike the standard key file, it MUST NOT be
world readable.
OPIE should better support some of the native "features" of drain bamaged
OSs such as AIX, HP-UX, and Solaris.
OPIE's utmp/wtmp handling has been completely re-written. This should solve
many of the utmp/wtmp problems people have been having.
Lots of cleanups.
Bug fixes.
2.22 May 3, 1996.
More minor bug fixes. OPIE once again works on Solaris 2.x.
2.21 April 27, 1996.
Minor bug fixes.
2.2 April 11, 1996.
opiesubr.c, opiesubr2.c, and a few other functions moved into a
subdirectory and split into files with fine granularity. Ditto with missing
function replacements. This subdirectory structure changes a lot of things
around and more splitting like this should be expected in the near future.
Added opiegenerator() library function that should make it very easy to
create OTP clients using the OPIE library (this function is subject to change:
there are a few problems remaining to be solved). Just about re-wrote
opiegetpass() to use raw I/O and got most of the OPIE programs actually using
that function. Autoconf build fixes. Lots of bug fixes. Lots of portability
fixes. Function declarations should be ANSI style for ANSI compilers. Several
fixes to bring OPIE in line with the latest OTP spec. MJR DES key crunch
de-implemented.
Added sample programs: opiegen (client) and opieserv (server).
Probably broke non-autoconf support along the way :(. I've tried to bring
this back in sync, but it may still be broken.
2.11 December 27, 1995.
Minor bug fixes.
2.10 December 26, 1995.
Optional autoconf support. opieinfo is now a normal program. Bugs fixed --
should work much better on SunOS, HP-UX, and AIX.
2.01 -- 2.04
Bug fix releases.
2.00
Initial release of OPIE 2.0.
System Requirements
===================
In order to build and run properly, OPIE requires:
* A UNIX-like operating system
* An ANSI C compiler and run-time library
* POSIX.1- and X/Open XPG-compliance (including termios)
* The BSD sockets API
* Approximately five megabytes of free disk space
In practice, we believe that many systems who are close to meeting
these requirements but aren't completely there (for example, SunOS with the
native compiler) will also work. Systems who aren't anywhere near close
(for example, DOS) are not likely to work without major adjustments to the
OPIE code.
If OPIE Doesn't Work
====================
Under NO circumstances should you send trouble reports directly to the
authors or contributors. They WILL BE IGNORED.
Make sure you have the latest version of OPIE. The latest version is
available by HTTP at:
http://www.inner.net/pub/opie
(sorry, but anonymous FTP is no longer available)
If you have installed the OPIE software (either through "make test"
in (7) above or "make install" in (14)), you can run "make uninstall" from the
OPIE software distribution directory. This should remove the OPIE software and
restore the original system programs, but it will not work properly (and can
even result in the total loss of the old system programs -- beware!) if the
installation procedure itself did not work properly.
If you are running a release version, try installing the latest public
test version (look around). These frequently have already fixed the problem
you are seeing, but may have new problems of their own (that's why they're
test versions!). Similarly, if you are running a test version, try installing
the latest released version.
OPIE is NOT supported software. We don't promise to support you or
even to acknowledge your mail, but we are interested in bug reports and are
reasonable folks. We also have an interest in seeing OPIE work on as many
systems as we can. However, if your system doesn't meet the basic requirements
for OPIE, this will probably require an unreasonable amount of effort.
The best bug reports include a diagnosis of the problem and a fix.
Your bug report can still be valuable if you can at least diagnose what the
problem is. If you just tell us "it doesn't work," then we won't be able to
do anything to help you.
We've received a number of bug reports from people that look
interesting, only to find when we try to follow up on them that the user
either has an invalid return address or never bothered to respond to our
followup. Please make sure that bug reports you send us have an electronic
mail address that we can reply to somewhere in them (if necessary, just
put it in the message body). If we send you a response and you are unable
to invest the time to work with us to solve the problem, please tell us --
few things are more irritating than when someone sends us information
about a bug that we'd like to fix and then is never heard from again.
We try to respond to all properly submitted bug reports. Improperly
submitted bug reports will be responded to only if we have time left after
responding to properly submitted bug reports. We deliberately ignore bug
"reports" sent to mailing lists or USENET news groups instead of or before
our bug report address. At the least, the latter practice is lacking in
courtesy.
The file BUG-REPORT contains our bug reporting form. Please use it
and follow the submission instructions in that file. We are going to switch
to machine-parsed bug report processing sometime in the near future to make
it easier to coordinate bug hunting.
Gotchas
=======
Solaris 2.x is just a lose. It does a lot of nonstandard and downright
broken things. If you want OPIE to be reliable on your box, upgrade to OpenBSD
or Linux.
While an almost universal "feature", most people remain unaware that
an intruder can log into a system, then log in again by running the "login"
command from a shell. Because the second login is from the local host, the
utmp entry will not show a remote login host anymore. The OPIE replacement
for /bin/login currently carries on this behavior for compatibility reasons.
If you would like to prevent this from happening, you should change the
permissions of /bin/login to 0100, thus preventing unprivileged users from
executing it. This fix should work on non-OPIE /bin/login programs as well.
On 4.3BSDish systems, the supplied /bin/login replacement obtains
the terminal type for the console comes from the console line in the /etc/ttys
file. Several systems contain a default entry in this file that specifies the
console terminal type as "unknown". This is probably not what you want.
The OPIE FTP daemon responds with two 530 error messages if you have
not yet logged in and execute a command that will also do a PORT request. This
is a feature, not a bug, as the FTP client is really sending the server two
commands (for instance, a PORT and a LIST if you tell your BSD FTP client to do
a DIR command) and the server is responding to each of them with an error. The
stock BSD FTP daemon doesn't check the PORT commands to see if you are logged
in, so you would only get one error message. This change should not break any
standards-compliant FTP client, but there are a number of brain-damaged GUI
clients that have a track record for not dealing gracefully with any server
other than the stock BSD one.
The /etc/opieaccess transition mechanism is, by definition, a security
hole in the OPIE software because an attacker could use it to circumvent the
requirement for OPIE authentication. You should compile the software with
support for this file disabled unless you absolutely cannot use the software
without it because of your environment. If you do use this support for
transition purposes, you should move people to OTP authentication as quickly
as possible and rebuild and reinstall OPIE with this transition support
disabled so that you won't have a lurking security hole.
If this wasn't already clear, do not let your sequence number fall
below about ten. If your sequence number reaches zero, your OTP sequence
can only be reset by the superuser. System administrators should make this
caveat known to their users.
On Solaris 2.x systems (and possibly others) running NIS+, users
should run keylogin(1) manually after login because opielogin(1) does not
do that automatically like the system login(1) program.
There are reports that some versions of GNU C Compiler (GCC)
(when installed on some systems) use their own termios(4) instead of
the system's termios(4). This can cause problems. If you are having
compilation problems that seem to relate to termios and you are using
GCC, you should probably verify that it is using the system's
termios(4) and not some internal-to-GCC termios(4). One report
indicates that Sun's C compiler works fine with SunOS 4.1.3/4.1.4 on
SPARC, but that some version of GCC on the same system has this
termios(4) problem. We haven't reproduced these problems ourselves
and hence aren't sure what is happening, but we pass this along for
your information. (This may have something to do with the use of GNU
libc)
If a user has a valid entry in the opiekeys database but has an
asterisk in their traditional password entry, they will not be able to
log in via opielogin, but opielogin will decrement their sequence number
if a valid response is received.
On some systems, the OPIE login program does not always display
a "login:" prompt the first time. There is a race condition in many older
telnetds that is probably the cause of this problem. This should be fixed by
replacing your telnetd with the latest version of the stock telnetd
(ftp.cray.com:/src/telnet).
The standard HPUX compiler is severely drain bamaged. One of the
worst parts is that it sometimes won't grok a symbol definition with forward
slashes in them properly and can choke badly on the definition of the key
file's location. If this happens to you, install and use GCC. (This problem
may or may not also come up with the optional HP ANSI C compiler -- we don't
know for sure what compilers have this problem).
As of OPIE 2.2, the seed is converted to lower case and its length is
checked in order to comply with the OTP specification. If any of your users
have seeds that use capital letters or are too long, they need to run the OPIE
2.2 opiepasswd program to re-initialize their sequence to one with a different
seed.
opielogin is a replacement for /bin/login. It is NOT an OPIE "shell."
You can use it as one, but don't be surprised if it doesn't behave the way
you expect -- we've seen various reports of success and failure when used this
way. An OPIE "shell" is on the TODO list.
Clients that use opiegen() will automatically send a re-initialization
extended response if the sequence number falls below ten. If the server does
not support this, the user will need to log in using opiekey and reset his
sequence manually (using opiepasswd).
For reasons that remain very unclear, Solaris passes the login name
from getty/telnetd to login by stuffing it in the terminal input buffer
instead of passing it on the command line like every other *IX. This is just
plain broken. Solaris has other problems with its telnetd and getty; you may
want to consider getting the telnet(d) sources (ftp.cray.com:/src/telnet)
and reasonable getty sources (try sunsite.unc.edu:/pub/Linux/system/Serial, at
least one of agetty, mingetty, and getty_ps should work) and replacing the
Solaris versions with these. OPIE should work *much* more happily with these
programs than the ones that come with Solaris. However, there could be negative
side effects -- this is not a procedure recommended for the faint of heart.
OPIE is a lot more fussy than it used to be about lock files and where
it puts them. The lock file directory must be a directory used only for OPIE
lock files. It must be a directory, owned by the superuser, and must be mode
0700.
opieauto is a potential security hole. It opens a limited window of
exposure by transmitting and storing information that can be used to
generate one or more OTPs earlier than the current sequence number. Every
effort has been made to limit the potential for compromise to the user-
specified window. However, an attacker with superuser priveleges or access to
your account on the client system can still generate OTPs based on the
information cached via opieauto. In practice, there are other ways for such an
an attacker to get your entire secret pass phrase, so this is probably not
creating a significant new security problem. However, because of this
potential for problems and because opieauto uses system features that are not
present on all systems, opieauto support is not compiled in by default and
must be specifically enabled at compile time.
Many users are running OPIE with the key file on a shared NFS volume
in order to use OTP as a single-login system for a cluster of machines. OPIE
was NOT designed to be operated this way, though it does seem to work. If it
fails or if this proves insecure, this is not OPIE's fault. Note that, if you
do this, you probably want to share the OPIE lock files too.
Gripes
======
Is it too much to ask that certain OS vendors just do the right thing
and not "fix" what isn't broken? (Look at all the ifdefs in the OPIE code and
the answer is clear)
utmp and wtmp handling in OPIE has been a very, very sore subject.
Every vendor does things differently, and, of course, most of them swear they
are complying to some or other "standard." My (cmetz) conclusion is that the
only thing that is standard about utmp and wtmp handling is that it will be
nonstandard on any given system. I've tried a lot of things and I've wasted
*a lot* of time on trying to make utmp and wtmp handling work for everybody;
my conclusion is that it will never happen. While I am still interested in
hearing about fixes for utmp/wtmp on systems where they don't work, I'm not
likely to go out of my way to fix utmp/wtmp handling. If you want it fixed,
the best way to do it is to fix it yourself and contribute a patch. As long as
the patch is reasonable, it will be included in the next release. If you can't
wait, use the --disable-utmp option.
Credits
=======
First and foremost credit goes to Phil Karn, Neil M. Haller, and John
S. Walden of Bellcore for creating the S/Key Version 1 software distribution
and for making its source code freely available to the public. Without their
work, OPIE would not exist. Neil has also invested a good amount of his time
in the development of a standard for One-Time Passwords so that packages like
OPIE can interoperate.
The first NRL OPIE distribution included modifications made primarily
by Dan McDonald of the U.S. Naval Research Laboratory (NRL) during March 1994.
The 2nd NRL OPIE distribution, which has a number of improvements in areas
such as portability of software and ease of installation, is primarily the
work of Ran Atkinson and Craig Metz. Other NRL contributors include Brian
Adamson, Steve Batsell, Preston Mullen, Bao Phan, Jim Ramsey, and Georg Thomas.
Some of version 2.2 was developed at NRL and released as a work in
progress. Most of the release version was developed by Craig Metz (also of
NRL), others at The Inner Net, and contributors from the Internet community.
Versions beyond 2.2 were developed outside NRL, so don't blame them if they
don't work (But please credit them when it does. Without the NRL effort, there
wouldn't be an OPIE).
We would like to also thank everyone who helped us by by beta testing,
reporting bugs, suggesting improvements, and/or sending us patches. We
appreciate your contributions -- they have helped to make OPIE more of a
community effort. These contributors include:
Mowgli Assor
Lawrie Brown
Andrew Davis
Taso N. Devetzis
Carson Gaspar
Dennis Glatting
Ben Golding
Axel Grewe
"Hobbit"
Kojima Hajime
Darren Hosking
Matt Hucke
Kenji Kamizono
Charles Karney
Jeff Kletsky
Peter Koch
Martijn Koster
Osamu Kurati
Ayamura Kikuchi
Ronald van der Meer
Bret Musser
Hiroshi Nakano
Ikuo Nakagawa
Angelo Neri
C. R. Oldham
Ossama Othman
D. Jason Penney
John Perkins
Steve Price
Jim Simmons
Steve Simmons
Brad Smith
Werner Wiethege
Ken-ichi Yamasaki
Wietse Venema
OPIE development at NRL was sponsored by the Information Security
Program Office (PD 71E), U.S. Space and Naval Warfare Systems Command, Crystal
City, Virginia.
If you have problems with OPIE, please follow the instructions under
"If OPIE Doesn't Work." Under NO circumstances should you send trouble
reports directly to the authors or contributors. They WILL BE IGNORED.
Trademarks
==========
S/Key is a trademark of Bell Communications Research (Bellcore).
UNIX is a trademark of X/Open.
NRL is a trademark of the U. S. Naval Research Laboratory.
All other trademarks are trademarks of their respective owners.
The term "OPIE" is in the public domain and hence cannot be legally
trademarked by anyone. Please do not abuse it.
Copyrights
==========
%%% portions-copyright-cmetz-96
Portions of this software are Copyright 1996-1999 by Craig Metz, All Rights
Reserved. The Inner Net License Version 2 applies to these portions of
the software.
You should have received a copy of the license with this software. If
you didn't get a copy, you may request one from <license@inner.net>.
Portions of this software are Copyright 1995 by Randall Atkinson and Dan
McDonald, All Rights Reserved. All Rights under this copyright are assigned
to the U.S. Naval Research Laboratory (NRL). The NRL Copyright Notice and
License Agreement applies to this software.
Portions of this software are copyright 1980-1990 Regents of the
University of California, all rights reserved. The Berkeley Software
License Agreement specifies the terms and conditions for redistribution.
Portions of this software are copyright 1990 Bell Communications Research
(Bellcore), all rights reserved.

226
contrib/opie/acconfig.h
View File

@ -1,226 +0,0 @@
/* acconfig.h: Extra commentary for Autoheader
%%% portions-copyright-cmetz-96
Portions of this software are Copyright 1996-1999 by Craig Metz, All Rights
Reserved. The Inner Net License Version 2 applies to these portions of
the software.
You should have received a copy of the license with this software. If
you didn't get a copy, you may request one from <license@inner.net>.
/* Define if the closedir function returns void instead of int. */
#undef CLOSEDIR_VOID
/* Define if you want the FTP daemon to support anonymous logins. */
#undef DOANONYMOUS
/* The default value of the PATH environment variable */
#undef DEFAULT_PATH
/* Defined if the file /etc/default/login exists
(and, presumably, should be looked at by login) */
#undef HAVE_ETC_DEFAULT_LOGIN
/* Defined to the name of a file that contains a list of files whose
permissions and ownerships should be changed on login. */
#undef HAVE_LOGIN_PERMFILE
/* Defined to the name of a file that contains a list of environment
values that should be set on login. */
#undef HAVE_LOGIN_ENVFILE
/* Defined if the file /etc/securetty exists
(and, presumably, should be looked at by login) */
#undef HAVE_SECURETTY
/* Defined if the file /etc/shadow exists
(and, presumably, should be looked at for shadow passwords) */
#undef HAVE_ETC_SHADOW
/* The path to the access file, if we're going to use it */
#undef PATH_ACCESS_FILE
/* The path to the mail spool, if we know it */
#undef PATH_MAIL
/* The path to the utmp file, if we know it */
#undef PATH_UTMP_AC
/* The path to the utmpx file, if we know it */
#undef PATH_UTMPX_AC
/* The path to the wtmp file, if we know it */
#undef PATH_WTMP_AC
/* The path to the wtmpx file, if we know it */
#undef PATH_WTMPX_AC
/* Defined if the system's profile (/etc/profile) displays
the motd file */
#undef HAVE_MOTD_IN_PROFILE
/* Defined if the system's profile (/etc/profile) informs the
user of new mail */
#undef HAVE_MAILCHECK_IN_PROFILE
/* Define if you have a nonstandard gettimeofday() that takes one argument
instead of two. */
#undef HAVE_ONE_ARG_GETTIMEOFDAY
/* Define if the system has the getenv function */
#undef HAVE_GETENV
/* Define if the system has the setenv function */
#undef HAVE_SETENV
/* Define if the system has the /var/adm/sulog file */
#undef HAVE_SULOG
/* Define if the system has the unsetenv function */
#undef HAVE_UNSETENV
/* Define if the compiler can handle ANSI-style argument lists */
#undef HAVE_ANSIDECL
/* Define if the compiler can handle ANSI-style prototypes */
#undef HAVE_ANSIPROTO
/* Define if the system has an ANSI-style printf (returns int instead of char *) */
#undef HAVE_ANSISPRINTF
/* Define if the compiler can handle ANSI-style variable argument lists */
#undef HAVE_ANSISTDARG
/* Define if the compiler can handle void argument lists to functions */
#undef HAVE_VOIDARG
/* Define if the compiler can handle void return "values" from functions */
#undef HAVE_VOIDRET
/* Define if the compiler can handle void pointers to our liking */
#undef HAVE_VOIDPTR
/* Define if the /bin/ls command seems to support the -g flag */
#undef HAVE_LS_G_FLAG
/* Define if there is a ut_pid field in struct utmp */
#undef HAVE_UT_PID
/* Define if there is a ut_type field in struct utmp */
#undef HAVE_UT_TYPE
/* Define if there is a ut_user field in struct utmp */
#undef HAVE_UT_USER
/* Define if there is a ut_name field in struct utmp */
#undef HAVE_UT_NAME
/* Define if there is a ut_host field in struct utmp */
#undef HAVE_UT_HOST
/* Define if there is a ut_id field in struct utmp */
#undef HAVE_UT_ID
/* Define if there is a ut_syslen field in struct utmp */
#undef HAVE_UT_SYSLEN
/* Define if there is a utx_syslen field in struct utmpx */
#undef HAVE_UTX_SYSLEN
/* Define if the system has getutline() */
#undef HAVE_GETUTLINE
/* Defined if the system has SunOS C2 security shadow passwords */
#undef HAVE_SUNOS_C2_SHADOW
/* Defined if you want to disable utmp support */
#undef DISABLE_UTMP
/* Defined if you want to disable wtmp support */
#undef DISABLE_WTMP
/* Defined if you want to allow users to override the insecure checks */
#undef INSECURE_OVERRIDE
/* Defined to the default hash value, always defined */
#undef MDX
/* Defined if new-style prompts are to be used */
#undef NEW_PROMPTS
/* Defined to the path of the OPIE lock directory */
#undef OPIE_LOCK_DIR
/* Defined if users are to be asked to re-type secret pass phrases */
#undef RETYPE
/* Defined if su should not switch to disabled accounts */
#undef SU_STAR_CHECK
/* Defined if user locking is to be used */
#undef USER_LOCKING
/* Defined if opieauto is to be used */
#undef OPIEAUTO
/* Define if you have the atexit function. */
#undef HAVE_ATEXIT
/* Define if you have the endutent function. */
#undef HAVE_ENDUTENT
/* Define if you have the initgroups function. */
#undef HAVE_INITGROUPS
/* Define if you have the memcmp function. */
#undef HAVE_MEMCMP
/* Define if you have the memcpy function. */
#undef HAVE_MEMCPY
/* Define if you have the memset function. */
#undef HAVE_MEMSET
/* Define if you have the getcwd function. */
#undef HAVE_GETCWD
/* Define if you have the getenv function. */
#undef HAVE_GETENV
/* Define if you have the getutline function. */
#undef HAVE_GETUTLINE
/* Define if you have the pututline function. */
#undef HAVE_PUTUTLINE
/* Define if you have the setenv function. */
#undef HAVE_SETENV
/* Define if you have the setegid function. */
#undef HAVE_SETEGID
/* Define if you have the seteuid function. */
#undef HAVE_SETEUID
/* Define if you have the setutent function. */
#undef HAVE_SETUTENT
/* Define if you have the sigprocmask function. */
#undef HAVE_SIGPROCMASK
/* Define if you have the strchr function. */
#undef HAVE_STRCHR
/* Define if you have the strrchr function. */
#undef HAVE_STRRCHR
/* Define if you have the strtoul function. */
#undef HAVE_STRTOUL
/* Define if you have the sysconf function. */
#undef HAVE_SYSCONF
/* Define if you have the uname function. */
#undef HAVE_UNAME
/* Define if you have the unsetenv function. */
#undef HAVE_UNSETENV

450
contrib/opie/config.h.in
View File

@ -1,450 +0,0 @@
/* config.h.in. Generated automatically from configure.in by autoheader. */
/* Define if on AIX 3.
System headers sometimes define this.
We just want to avoid a redefinition error message. */
#ifndef _ALL_SOURCE
#undef _ALL_SOURCE
#endif
/* Define if using alloca.c. */
#undef C_ALLOCA
/* Define to empty if the keyword does not work. */
#undef const
/* Define to one of _getb67, GETB67, getb67 for Cray-2 and Cray-YMP systems.
This function is required for alloca.c support on those systems. */
#undef CRAY_STACKSEG_END
/* Define if you have alloca, as a function or macro. */
#undef HAVE_ALLOCA
/* Define if you have <alloca.h> and it should be used (not on Ultrix). */
#undef HAVE_ALLOCA_H
/* Define if you have <sys/wait.h> that is POSIX.1 compatible. */
#undef HAVE_SYS_WAIT_H
/* Define if on MINIX. */
#undef _MINIX
/* Define if the system does not provide POSIX.1 features except
with this defined. */
#undef _POSIX_1_SOURCE
/* Define if you need to in order for stat and other things to work. */
#undef _POSIX_SOURCE
/* Define as the return type of signal handlers (int or void). */
#undef RETSIGTYPE
/* If using the C implementation of alloca, define if you know the
direction of stack growth for your system; otherwise it will be
automatically deduced at run-time.
STACK_DIRECTION > 0 => grows toward higher addresses
STACK_DIRECTION < 0 => grows toward lower addresses
STACK_DIRECTION = 0 => direction of growth unknown
*/
#undef STACK_DIRECTION
/* Define if you want the FTP daemon to support anonymous logins. */
#undef DOANONYMOUS
/* The default value of the PATH environment variable */
#undef DEFAULT_PATH
/* Defined if the file /etc/default/login exists
(and, presumably, should be looked at by login) */
#undef HAVE_ETC_DEFAULT_LOGIN
/* Defined to the name of a file that contains a list of files whose
permissions and ownerships should be changed on login. */
#undef HAVE_LOGIN_PERMFILE
/* Defined to the name of a file that contains a list of environment
values that should be set on login. */
#undef HAVE_LOGIN_ENVFILE
/* Defined if the file /etc/securetty exists
(and, presumably, should be looked at by login) */
#undef HAVE_SECURETTY
/* Defined if the file /etc/shadow exists
(and, presumably, should be looked at for shadow passwords) */
#undef HAVE_ETC_SHADOW
/* The path to the access file, if we're going to use it */
#undef PATH_ACCESS_FILE
/* The path to the mail spool, if we know it */
#undef PATH_MAIL
/* The path to the utmp file, if we know it */
#undef PATH_UTMP_AC
/* The path to the wtmp file, if we know it */
#undef PATH_WTMP_AC
/* The path to the wtmpx file, if we know it */
#undef PATH_WTMPX_AC
/* Defined if the system's profile (/etc/profile) displays
the motd file */
#undef HAVE_MOTD_IN_PROFILE
/* Defined if the system's profile (/etc/profile) informs the
user of new mail */
#undef HAVE_MAILCHECK_IN_PROFILE
/* Define if you have a nonstandard gettimeofday() that takes one argument
instead of two. */
#undef HAVE_ONE_ARG_GETTIMEOFDAY
/* Define if the system has the getenv function */
#undef HAVE_GETENV
/* Define if the system has the setenv function */
#undef HAVE_SETENV
/* Define if the system has the /var/adm/sulog file */
#undef HAVE_SULOG
/* Define if the system has the unsetenv function */
#undef HAVE_UNSETENV
/* Define if the compiler can handle ANSI-style argument lists */
#undef HAVE_ANSIDECL
/* Define if the compiler can handle ANSI-style prototypes */
#undef HAVE_ANSIPROTO
/* Define if the system has an ANSI-style printf (returns int instead of char *) */
#undef HAVE_ANSISPRINTF
/* Define if the compiler can handle ANSI-style variable argument lists */
#undef HAVE_ANSISTDARG
/* Define if the compiler can handle void argument lists to functions */
#undef HAVE_VOIDARG
/* Define if the compiler can handle void return "values" from functions */
#undef HAVE_VOIDRET
/* Define if the compiler can handle void pointers to our liking */
#undef HAVE_VOIDPTR
/* Define if the /bin/ls command seems to support the -g flag */
#undef HAVE_LS_G_FLAG
/* Define if there is a ut_pid field in struct utmp */
#undef HAVE_UT_PID
/* Define if there is a ut_type field in struct utmp */
#undef HAVE_UT_TYPE
/* Define if there is a ut_name field in struct utmp */
#undef HAVE_UT_NAME
/* Define if there is a ut_host field in struct utmp */
#undef HAVE_UT_HOST
/* Define if there is a ut_id field in struct utmp */
#undef HAVE_UT_ID
/* Define if there is a utx_syslen field in struct utmpx */
#undef HAVE_UTX_SYSLEN
/* Define if the system has getutline() */
#undef HAVE_GETUTLINE
/* Defined if the system has SunOS C2 security shadow passwords */
#undef HAVE_SUNOS_C2_SHADOW
/* Defined if you want to disable utmp support */
#undef DISABLE_UTMP
/* Defined if you want to disable wtmp support */
#undef DISABLE_WTMP
/* Defined if you want to allow users to override the insecure checks */
#undef INSECURE_OVERRIDE
/* Defined to the default hash value, always defined */
#undef MDX
/* Defined if new-style prompts are to be used */
#undef NEW_PROMPTS
/* Defined to the path of the OPIE lock directory */
#undef OPIE_LOCK_DIR
/* Defined if users are to be asked to re-type secret pass phrases */
#undef RETYPE
/* Defined if su should not switch to disabled accounts */
#undef SU_STAR_CHECK
/* Defined if opieauto is to be used */
#undef OPIEAUTO
/* Define if you have the atexit function. */
#undef HAVE_ATEXIT
/* Define if you have the endutent function. */
#undef HAVE_ENDUTENT
/* Define if you have the initgroups function. */
#undef HAVE_INITGROUPS
/* Define if you have the memcmp function. */
#undef HAVE_MEMCMP
/* Define if you have the memcpy function. */
#undef HAVE_MEMCPY
/* Define if you have the memset function. */
#undef HAVE_MEMSET
/* Define if you have the getcwd function. */
#undef HAVE_GETCWD
/* Define if you have the getenv function. */
#undef HAVE_GETENV
/* Define if you have the getutline function. */
#undef HAVE_GETUTLINE
/* Define if you have the pututline function. */
#undef HAVE_PUTUTLINE
/* Define if you have the setenv function. */
#undef HAVE_SETENV
/* Define if you have the setegid function. */
#undef HAVE_SETEGID
/* Define if you have the seteuid function. */
#undef HAVE_SETEUID
/* Define if you have the setutent function. */
#undef HAVE_SETUTENT
/* Define if you have the sigprocmask function. */
#undef HAVE_SIGPROCMASK
/* Define if you have the strchr function. */
#undef HAVE_STRCHR
/* Define if you have the strrchr function. */
#undef HAVE_STRRCHR
/* Define if you have the strtoul function. */
#undef HAVE_STRTOUL
/* Define if you have the sysconf function. */
#undef HAVE_SYSCONF
/* Define if you have the uname function. */
#undef HAVE_UNAME
/* Define if you have the unsetenv function. */
#undef HAVE_UNSETENV
/* Define if you have the bcopy function. */
#undef HAVE_BCOPY
/* Define if you have the bzero function. */
#undef HAVE_BZERO
/* Define if you have the endspent function. */
#undef HAVE_ENDSPENT
/* Define if you have the fpurge function. */
#undef HAVE_FPURGE
/* Define if you have the getdtablesize function. */
#undef HAVE_GETDTABLESIZE
/* Define if you have the getgroups function. */
#undef HAVE_GETGROUPS
/* Define if you have the gethostname function. */
#undef HAVE_GETHOSTNAME
/* Define if you have the getspnam function. */
#undef HAVE_GETSPNAM
/* Define if you have the gettimeofday function. */
#undef HAVE_GETTIMEOFDAY
/* Define if you have the getttynam function. */
#undef HAVE_GETTTYNAM
/* Define if you have the getusershell function. */
#undef HAVE_GETUSERSHELL
/* Define if you have the getutxline function. */
#undef HAVE_GETUTXLINE
/* Define if you have the getwd function. */
#undef HAVE_GETWD
/* Define if you have the index function. */
#undef HAVE_INDEX
/* Define if you have the lstat function. */
#undef HAVE_LSTAT
/* Define if you have the on_exit function. */
#undef HAVE_ON_EXIT
/* Define if you have the pututxline function. */
#undef HAVE_PUTUTXLINE
/* Define if you have the rindex function. */
#undef HAVE_RINDEX
/* Define if you have the setgroups function. */
#undef HAVE_SETGROUPS
/* Define if you have the setlogin function. */
#undef HAVE_SETLOGIN
/* Define if you have the setpriority function. */
#undef HAVE_SETPRIORITY
/* Define if you have the setregid function. */
#undef HAVE_SETREGID
/* Define if you have the setresgid function. */
#undef HAVE_SETRESGID
/* Define if you have the setresuid function. */
#undef HAVE_SETRESUID
/* Define if you have the setreuid function. */
#undef HAVE_SETREUID
/* Define if you have the setvbuf function. */
#undef HAVE_SETVBUF
/* Define if you have the sigaddset function. */
#undef HAVE_SIGADDSET
/* Define if you have the sigblock function. */
#undef HAVE_SIGBLOCK
/* Define if you have the sigemptyset function. */
#undef HAVE_SIGEMPTYSET
/* Define if you have the sigsetmask function. */
#undef HAVE_SIGSETMASK
/* Define if you have the socket function. */
#undef HAVE_SOCKET
/* Define if you have the strerror function. */
#undef HAVE_STRERROR
/* Define if you have the strftime function. */
#undef HAVE_STRFTIME
/* Define if you have the strncasecmp function. */
#undef HAVE_STRNCASECMP
/* Define if you have the strstr function. */
#undef HAVE_STRSTR
/* Define if you have the ttyslot function. */
#undef HAVE_TTYSLOT
/* Define if you have the usleep function. */
#undef HAVE_USLEEP
/* Define if you have the <crypt.h> header file. */
#undef HAVE_CRYPT_H
/* Define if you have the <dirent.h> header file. */
#undef HAVE_DIRENT_H
/* Define if you have the <fcntl.h> header file. */
#undef HAVE_FCNTL_H
/* Define if you have the <lastlog.h> header file. */
#undef HAVE_LASTLOG_H
/* Define if you have the <limits.h> header file. */
#undef HAVE_LIMITS_H
/* Define if you have the <ndir.h> header file. */
#undef HAVE_NDIR_H
/* Define if you have the <paths.h> header file. */
#undef HAVE_PATHS_H
/* Define if you have the <pwd.h> header file. */
#undef HAVE_PWD_H
/* Define if you have the <shadow.h> header file. */
#undef HAVE_SHADOW_H
/* Define if you have the <signal.h> header file. */
#undef HAVE_SIGNAL_H
/* Define if you have the <stdlib.h> header file. */
#undef HAVE_STDLIB_H
/* Define if you have the <string.h> header file. */
#undef HAVE_STRING_H
/* Define if you have the <sys/dir.h> header file. */
#undef HAVE_SYS_DIR_H
/* Define if you have the <sys/file.h> header file. */
#undef HAVE_SYS_FILE_H
/* Define if you have the <sys/ioctl.h> header file. */
#undef HAVE_SYS_IOCTL_H
/* Define if you have the <sys/ndir.h> header file. */
#undef HAVE_SYS_NDIR_H
/* Define if you have the <sys/param.h> header file. */
#undef HAVE_SYS_PARAM_H
/* Define if you have the <sys/select.h> header file. */
#undef HAVE_SYS_SELECT_H
/* Define if you have the <sys/signal.h> header file. */
#undef HAVE_SYS_SIGNAL_H
/* Define if you have the <sys/time.h> header file. */
#undef HAVE_SYS_TIME_H
/* Define if you have the <sys/utsname.h> header file. */
#undef HAVE_SYS_UTSNAME_H
/* Define if you have the <syslog.h> header file. */
#undef HAVE_SYSLOG_H
/* Define if you have the <termios.h> header file. */
#undef HAVE_TERMIOS_H
/* Define if you have the <unistd.h> header file. */
#undef HAVE_UNISTD_H
/* Define if you have the <utmpx.h> header file. */
#undef HAVE_UTMPX_H
/* Define if you have the crypt library (-lcrypt). */
#undef HAVE_LIBCRYPT
/* Define if you have the nsl library (-lnsl). */
#undef HAVE_LIBNSL
/* Define if you have the posix library (-lposix). */
#undef HAVE_LIBPOSIX
/* Define if you have the socket library (-lsocket). */
#undef HAVE_LIBSOCKET

12
contrib/opie/config.testeflag
View File

@ -1,12 +0,0 @@
#! /bin/sh
if test -e README >/dev/null 2>/dev/null
then
if test -e a.non-existant-file >/dev/null 2>/dev/null
then
exit 1
else
exit 0
fi
else
exit 1
fi

5247
contrib/opie/configure vendored
View File

File diff suppressed because it is too large Load Diff

562
contrib/opie/configure.in
View File

@ -1,562 +0,0 @@
dnl configure.in: Input for Autoconf
dnl
dnl %%% portions-copyright-cmetz-96
dnl Portions of this software are Copyright 1996-1999 by Craig Metz, All Rights
dnl Reserved. The Inner Net License Version 2 applies to these portions of
dnl the software.
dnl You should have received a copy of the license with this software. If
dnl you didn't get a copy, you may request one from <license@inner.net>.
dnl
dnl Portions of this software are Copyright 1995 by Randall Atkinson and Dan
dnl McDonald, All Rights Reserved. All Rights under this copyright are assigned
dnl to the U.S. Naval Research Laboratory (NRL). The NRL Copyright Notice and
dnl License Agreement applies to this software.
dnl
dnl History:
dnl
dnl Modified by cmetz for OPIE 2.4. Add --enable-opieauto option. Check
dnl for ut_id and ut_syslen. Make disable-wtmp disable wtmp not utmp.
dnl Define HAVE_foo if foo is found by the libmissing function check.
dnl Added checks for libmissing functions that were there but never
dnl actually checked for and therefore available.
dnl Modified by cmetz for OPIE 2.32. Substitute default for LOCK_DIR.
dnl Fix the --disable-user-locking bug. AC_DEFINE variables to 1.
dnl Really check for ut_host.
dnl Modified by cmetz for OPIE 2.31. Put back manual utmp[x]/wtmp[x]
dnl checks -- too many OSs can't be trusted to tell us where they are.
dnl Check for sys/select.h. Spell endutent right. Replace strtoul()
dnl if needed. Removed duplicate check for sysconf. Added check for
dnl SunOS C2 shadow passwords (may need more work). Replace
dnl setutent. Added options to disable use of utmp/wtmp. Replace
dnl seteuid and setegid. Check for usleep. Moved options.h options
dnl here as enable/disable options.
dnl Modified by cmetz for OPIE 2.3. Removed redundant memset/memcpy.
dnl Changed ls -g test around. Changed logindevperm/fbtab defines.
dnl Added check for /etc/environment and /etc/src.sh. Check for
dnl /var/adm/sulog. Check for {get,put}utxline, provide libmissing
dnl versionf of {get,put}utline. Added --enable option for anonymous
dnl FTP. Got rid of a few unneeded checks. Check for functions only
dnl used by libmissing only if the replacement function that needs
dnl them is itself needed.
dnl Modified by cmetz for OPIE 2.22. Check for Solaris drain bamaged ls.
dnl Check for setlogin(). Removed duplicate checks for some funcs.
dnl Modified by cmetz for OPIE 2.21. Filename must be in utmp[x]/wtmp[x]
dnl defines.
dnl Modified by cmetz for OPIE 2.2. Misc changes. Changed for libmissing
dnl support and building its target object list. Changed to support
dnl FUNCTION declaration et al. Added a LOT of checks and a LOT of
dnl fixes.
dnl Created at NRL for OPIE 2.1.
AC_INIT(README)
AC_CONFIG_HEADER(config.h)
AC_ARG_ENABLE(access-file, [ --enable-access-file=FILENAME
Enable the OPIE access file FILENAME], AC_DEFINE_UNQUOTED(PATH_ACCESS_FILE, "$enable_access_file") echo "Using the access file in $enable_access_file -- don't say we didn't warn you!")
ACCESS_FILE="$enable_access_file"
AC_SUBST(ACCESS_FILE)
AC_ARG_ENABLE(server-md4, [ --enable-server-md4 Use MD4 instead of MD5 for the server], AC_DEFINE(MDX, 4), AC_DEFINE(MDX, 5))
AC_ARG_ENABLE(user-locking, [ --disable-user-locking Disable user locking
--enable-user-locking[=DIR]
Put user lock files in DIR [/etc/opielocks]],,)
if test "$enable_user_locking" != no;
then
if test -z "$enable_user_locking"
then
AC_DEFINE(OPIE_LOCK_DIR, "/etc/opielocks")
LOCK_DIR="/etc/opielocks"
else
AC_DEFINE_UNQUOTED(OPIE_LOCK_DIR, "$enable_user_locking")
LOCK_DIR="$enable_user_locking"
fi
fi
AC_SUBST(LOCK_DIR)
AC_ARG_ENABLE(retype, [ --enable-retype Ask users to re-type their secret pass phrases], AC_DEFINE(RETYPE, 1))
AC_ARG_ENABLE(su-star-check, [ --enable-su-star-check Refuse to switch to disabled accounts], AC_DEFINE(SU_STAR_CHECK, 1))
AC_ARG_ENABLE(new-prompts, [ --disable-new-prompts Use more compatible (but less informative) prompts],, AC_DEFINE(NEW_PROMPTS, 1))
AC_ARG_ENABLE(insecure-override, [ --enable-insecure-override
Allow users to override insecure checks], AC_DEFINE(INSECURE_OVERRIDE, 1))
AC_ARG_ENABLE(anonymous-ftp, [ --enable-anonymous-ftp Enable anonymous FTP support], AC_DEFINE(DOANONYMOUS, 1) echo "enabling anonymous FTP support in ftp -- don't say we didn't warn you!")
AC_ARG_ENABLE(utmp, [ --disable-utmp Disable utmp logging], AC_DEFINE(DISABLE_UTMP, 1) echo "disabling utmp logging")
AC_ARG_ENABLE(wtmp, [ --disable-wtmp Disable wtmp logging], AC_DEFINE(DISABLE_WTMP, 1) echo "disabling wtmp logging")
AC_ARG_ENABLE(opieauto, [ --enable-opieauto Enable support for opieauto], AC_DEFINE(OPIEAUTO, 1) OPIEAUTO=opieauto; echo "enabling opieauto support")
AC_SUBST(OPIEAUTO)
dnl Checks for programs.
AC_PROG_CC
AC_PROG_CPP
AC_PROG_LN_S
AC_PROG_RANLIB
AC_PROG_YACC
AC_AIX
AC_ISC_POSIX
AC_MINIX
dnl We'd put PATH in these checks, but it turns out that autoconf doesn't
dnl work as documented when it comes to the colon separator...
AC_PATH_PROG(CHOWN, chown, /bin/chown, /usr/bin /bin /usr/sbin /sbin /usr/etc /etc)
AC_PATH_PROG(SU, su, /bin/su, /usr/bin /bin)
AC_PATH_PROG(ALT_SU, su,, /usr/sbin /sbin)
AC_PATH_PROG(SCHEME, scheme,, /usr/lib/iaf/scheme)
AC_PATH_PROG(LOGIN, login, /bin/login, /usr/bin /bin)
dnl AC_DEFINE_UNQUOTED(PATH_LOGIN, "$LOGIN")
if test ! -z "$SCHEME";
then
LOGIN="$SCHEME";
fi
AC_PATH_PROG(FTPD, ftpd,, /usr/libexec /usr/etc /etc /usr/sbin /sbin /usr/lbin)
AC_PATH_PROG(INFTPD, in.ftpd,, /usr/libexec /usr/etc /etc /usr/sbin /sbin /usr/lbin)
if test -z "$FTPD"
then
if test ! -z "$INFTPD"
then
FTPD="$INFTPD"
fi
fi
AC_MSG_CHECKING(for default PATH entries)
default_path=""
save_IFS="$IFS"
IFS=" "
for i in /usr/bin /bin /usr/ucb /usr/sbin /usr/bsd /sbin /usr/bin/X11 /etc /usr/local/X11/bin /usr/X11R6/bin /your-system-is-broken
do
IFS=":"
for j in $PATH
do
if test "$i" = "$j"
then
if test -d "$i"
then
if test -z "$default_path"
then
default_path="$i"
else
default_path="$default_path:$i"
fi
fi
fi
done
IFS=" "
done
AC_DEFINE_UNQUOTED(DEFAULT_PATH, "$default_path")
AC_MSG_RESULT($default_path)
AC_MSG_CHECKING(for test -e flag)
if sh config.testeflag
then
result=yes
EXISTS="-e"
else
result=no
EXISTS="-f"
fi
AC_SUBST(EXISTS)
AC_MSG_RESULT($result)
AC_MSG_CHECKING(for mkdir -p flag)
if test -d config.tmpdir
then
rmdir config.tmpdir/foo/bar >/dev/null 2>/dev/null
rmdir config.tmpdir/foo >/dev/null 2>/dev/null
rmdir config.tmpdir >/dev/null 2>/dev/null
fi
result=no
if mkdir -p config.tmpdir/foo/bar >/dev/null 2>/dev/null
then
if test -d config.tmpdir
then
if test -d config.tmpdir/foo
then
if test -d config.tmpdir/foo/bar
then
result=yes
rmdir config.tmpdir/foo/bar >/dev/null 2>/dev/null
fi
rmdir config.tmpdir/foo >/dev/null 2>/dev/null
fi
rmdir config.tmpdir >/dev/null 2>/dev/null
fi
fi
if test "$result" = yes
then
MKDIR="mkdir -p"
else
MKDIR="mkdir"
fi
AC_SUBST(MKDIR)
AC_MSG_RESULT($result)
AC_MSG_CHECKING(for ls group field)
lsg=`/bin/ls -ldg / | wc -w | awk '{print $1}'`;
ls=`/bin/ls -ld / | wc -w | awk '{print $1}'`;
result="no"
if test $ls = 9;
then
result="yes"
else
if test "$ls" = 8 -a "$lsg" = 9;
then
result="yes, with -g"
AC_DEFINE(HAVE_LS_G_FLAG)
fi
fi
AC_MSG_RESULT($result)
dnl Checks for various system characteristics
AC_MSG_CHECKING(for /etc/default/login)
if test $EXISTS /etc/default/login
then
result=yes
AC_DEFINE(HAVE_ETC_DEFAULT_LOGIN)
else
result=no
fi
AC_MSG_RESULT($result)
AC_MSG_CHECKING(for /etc/securetty)
if test $EXISTS /etc/securetty
then
result=yes
AC_DEFINE(HAVE_SECURETTY)
else
result=no
fi
AC_MSG_RESULT($result)
AC_MSG_CHECKING(for /etc/logindevperm)
if test $EXISTS /etc/logindevperm
then
AC_MSG_RESULT(yes)
AC_DEFINE(HAVE_LOGIN_PERMFILE, "/etc/logindevperm")
else
AC_MSG_RESULT(no)
AC_MSG_CHECKING(for /etc/fbtab)
if test $EXISTS /etc/fbtab
then
result=yes
AC_DEFINE(HAVE_LOGIN_PERMFILE, "/etc/fbtab")
else
result=no
fi
AC_MSG_RESULT($result)
fi
AC_MSG_CHECKING(for /etc/environment)
if test $EXISTS /etc/environment
then
AC_MSG_RESULT(yes)
AC_DEFINE(HAVE_LOGIN_ENVFILE, "/etc/environment")
else
AC_MSG_RESULT(no)
AC_MSG_CHECKING(for /etc/src.sh)
if test $EXISTS /etc/src.sh
then
result=yes
AC_DEFINE(HAVE_LOGIN_ENVFILE, "/etc/src.sh")
else
result=no
fi
AC_MSG_RESULT($result)
fi
AC_MSG_CHECKING(for /etc/shadow)
if test $EXISTS /etc/shadow
then
result=yes
AC_DEFINE(HAVE_ETC_SHADOW)
else
AC_MSG_RESULT(no)
AC_MSG_CHECKING(for /etc/security/passwd.adjunct)
if test $EXISTS /etc/security/passwd.adjunct
then
result=yes
AC_DEFINE(HAVE_SUNOS_C2_SHADOW)
LIBOBJS="$LIBOBJS getspnam.o endspent.o"
else
result=no
fi
fi
AC_MSG_RESULT($result)
AC_MSG_CHECKING(for /var/adm/sulog)
if test $EXISTS /var/adm/sulog
then
result=yes
AC_DEFINE(HAVE_SULOG)
else
result=no
fi
AC_MSG_RESULT($result)
AC_MSG_CHECKING(mail spool location)
mail_spool=""
for i in /var/mail /usr/mail /var/spool/mail /usr/spool/mail
do
if test -d $i
then
mail_spool="$i"
fi
done
if test -z "$mail_spool"
then
result="not found"
else
result="$mail_spool"
AC_DEFINE_UNQUOTED(PATH_MAIL, "$mail_spool")
fi
AC_MSG_RESULT($result)
AC_MSG_CHECKING(where your system puts the utmp file)
utmp_path=""
for i in /var/run /var/adm /usr/adm /etc
do
if test $EXISTS $i/utmp
then
utmp_path="$i"
fi
done
if test -z "$utmp_path"
then
result="not found"
else
result="$utmp_path"
AC_DEFINE_UNQUOTED(PATH_UTMP_AC, "$utmp_path/utmp")
fi
AC_MSG_RESULT($result)
AC_MSG_CHECKING(where your system puts the utmpx file)
utmp_path=""
for i in /var/run /var/adm /usr/adm /etc
do
if test $EXISTS $i/utmp
then
utmp_path="$i"
fi
done
if test -z "$utmp_path"
then
result="not found"
AC_DEFINE_UNQUOTED(PATH_UTMP_AC, "$utmp_path/utmpx")
fi
AC_MSG_RESULT($result)
AC_MSG_CHECKING(where your system puts the wtmp file)
wtmp_path=""
for i in /var/run /var/log /var/adm /usr/adm /etc
do
if test $EXISTS $i/wtmp
then
wtmp_path="$i"
fi
done
if test -z "$wtmp_path"
then
result="not found"
else
result="$wtmp_path"
AC_DEFINE_UNQUOTED(PATH_WTMP_AC, "$wtmp_path/wtmp")
fi
AC_MSG_RESULT($result)
AC_MSG_CHECKING(where your system puts the wtmpx file)
wtmpx_path=""
for i in /var/run /var/log /var/adm /usr/adm /etc
do
if test $EXISTS $i/wtmpx
then
wtmpx_path="$i"
fi
done
if test -z "$wtmpx_path"
then
result="not found"
else
result="$wtmpx_path"
AC_DEFINE_UNQUOTED(PATH_WTMPX_AC, "$wtmpx_path/wtmpx")
fi
AC_MSG_RESULT($result)
AC_MSG_CHECKING(whether the system profile displays the motd)
result=no
if test $EXISTS /etc/profile
then
if grep motd /etc/profile >/dev/null 2>/dev/null
then
result=yes
fi
fi
if test "$result" = yes
then
AC_DEFINE(HAVE_MOTD_IN_PROFILE)
fi
AC_MSG_RESULT($result)
AC_MSG_CHECKING(whether the system profile checks for mail)
result=no
if test $EXISTS /etc/profile
then
if grep 'mail\.' /etc/profile >/dev/null 2>/dev/null
then
result=yes
fi
fi
if test "$result" = yes
then
AC_DEFINE(HAVE_MAILCHECK_IN_PROFILE)
fi
AC_MSG_RESULT($result)
dnl Random checks
AC_C_CONST
AC_MSG_CHECKING(to see if your compiler can handle void arguments)
AC_TRY_COMPILE(foo(void) { },, AC_DEFINE(HAVE_VOIDARG) AC_MSG_RESULT(yes), AC_MSG_RESULT(no))
AC_MSG_CHECKING(to see if your compiler can handle void return values)
AC_TRY_COMPILE(void foo() { },, AC_DEFINE(HAVE_VOIDRET) AC_MSG_RESULT(yes), AC_MSG_RESULT(no))
AC_MSG_CHECKING(to see if your compiler can handle void pointers)
AC_TRY_COMPILE(foo() { void *bar = (void *)0x42; bar = bar + 1; },, AC_DEFINE(HAVE_VOIDPTR) AC_MSG_RESULT(yes), AC_MSG_RESULT(no))
AC_MSG_CHECKING(to see if your compiler can handle ANSI argument lists)
AC_TRY_COMPILE(int foo(int bar, int baz) { return 0; },, AC_DEFINE(HAVE_ANSIDECL) AC_MSG_RESULT(yes), AC_MSG_RESULT(no))
AC_MSG_CHECKING(to see if your compiler can handle ANSI prototypes)
AC_TRY_COMPILE(extern int foo(int, int);,, AC_DEFINE(HAVE_ANSIPROTO) AC_MSG_RESULT(yes), AC_MSG_RESULT(no))
AC_MSG_CHECKING(to see if your compiler can handle ANSI variable arguments)
AC_TRY_COMPILE([#include <stdarg.h>
int foo(int arg, ...) {
va_list ap;
va_start(ap, arg);
va_end(ap);
return 0;
}],, AC_DEFINE(HAVE_ANSISTDARG) AC_MSG_RESULT(yes), AC_MSG_RESULT(no))
AC_MSG_CHECKING(to see if you have an ANSI-style sprintf)
AC_TRY_RUN([#include <stdio.h>
int main(argc, argv)
int argc;
char *argv[];
{
char buf[5];
int i = 2;
i += sprintf(buf, "1234");
return (i == 6) ? 0 : -1;
}], AC_DEFINE(HAVE_ANSISPRINTF) AC_MSG_RESULT(yes), AC_MSG_RESULT(no), AC_MSG_RESULT(no))
dnl Checks for libraries.
AC_CHECK_LIB(crypt, crypt)
AC_CHECK_LIB(nsl, gethostname)
AC_CHECK_LIB(posix, main)
AC_CHECK_LIB(socket, socket)
dnl Checks for header files.
AC_HEADER_DIRENT
AC_HEADER_SYS_WAIT
AC_CHECK_HEADERS(crypt.h fcntl.h limits.h termios.h sys/file.h sys/ioctl.h sys/time.h syslog.h unistd.h paths.h shadow.h signal.h sys/signal.h lastlog.h sys/utsname.h pwd.h sys/param.h string.h stdlib.h utmpx.h sys/select.h)
dnl Checks for typedefs, structures, and compiler characteristics.
dnl AC_TYPE_UID_T
dnl AC_TYPE_OFF_T
dnl AC_TYPE_PID_T
dnl AC_STRUCT_ST_BLKSIZE
dnl AC_STRUCT_TM
AC_MSG_CHECKING(for ut_pid in struct utmp)
AC_TRY_COMPILE([#include <sys/types.h>
#include <utmp.h>], [struct utmp foo; return (int)foo.ut_pid;], AC_DEFINE(HAVE_UT_PID) AC_MSG_RESULT(yes), AC_MSG_RESULT(no))
AC_MSG_CHECKING(for ut_type in struct utmp)
AC_TRY_COMPILE([#include <sys/types.h>
#include <utmp.h>], [struct utmp foo; return (int)foo.ut_type;], AC_DEFINE(HAVE_UT_TYPE) AC_MSG_RESULT(yes), AC_MSG_RESULT(no))
AC_MSG_CHECKING(for ut_name in struct utmp)
AC_TRY_COMPILE([#include <sys/types.h>
#include <utmp.h>], [struct utmp foo; return (int)foo.ut_name[0];], AC_DEFINE(HAVE_UT_NAME) AC_MSG_RESULT(yes), AC_MSG_RESULT(no))
dnl AC_MSG_CHECKING(for ut_user in struct utmp)
dnl AC_TRY_COMPILE([#include <sys/types.h>
dnl #include <utmp.h>], [struct utmp foo; return (int)foo.ut_user[0];], AC_DEFINE(HAVE_UT_USER) AC_MSG_RESULT(yes), AC_MSG_RESULT(no))
AC_MSG_CHECKING(for ut_host in struct utmp)
AC_TRY_COMPILE([#include <sys/types.h>
#include <utmp.h>], [struct utmp foo; return (int)foo.ut_host[0];], AC_DEFINE(HAVE_UT_HOST) AC_MSG_RESULT(yes), AC_MSG_RESULT(no))
AC_MSG_CHECKING(for ut_id in struct utmp)
AC_TRY_COMPILE([#include <sys/types.h>
#include <utmp.h>], [struct utmp foo; return (int)foo.ut_id[0];], AC_DEFINE(HAVE_UT_ID) AC_MSG_RESULT(yes), AC_MSG_RESULT(no))
#AC_MSG_CHECKING(for ut_syslen in struct utmp)
#AC_TRY_COMPILE([#include <sys/types.h>
##include <utmp.h>], [struct utmp foo; return (int)foo.ut_syslen;], AC_DEFINE(HAVE_UT_SYSLEN) AC_MSG_RESULT(yes), AC_MSG_RESULT(no))
AC_MSG_CHECKING(for ut_syslen in struct utmpx)
AC_TRY_COMPILE([#include <sys/types.h>
#include <utmpx.h>], [struct utmpx foo; return (int)foo.ut_syslen;], AC_DEFINE(HAVE_UTX_SYSLEN) AC_MSG_RESULT(yes), AC_MSG_RESULT(no))
dnl Checks for library functions.
dnl AC_PROG_GCC_TRADITIONAL
AC_TYPE_SIGNAL
AC_CHECK_FUNCS(gettimeofday socket strftime strstr setpriority getttynam setvbuf getspnam endspent setgroups getgroups fpurge setlogin lstat getutxline pututxline usleep)
dnl Libmissing...
AC_FUNC_MEMCMP
AC_FUNC_ALLOCA
AC_REPLACE_FUNCS(getusershell sigaddset sigemptyset strerror strncasecmp)
MISSING="$LIBOBJS $ALLOCA " ;
dnl These should be simplified by a macro
AC_CHECK_FUNC(atexit, AC_DEFINE(HAVE_ATEXIT), MISSING="${MISSING}atexit.o "; AC_CHECK_FUNCS(on_exit))
AC_CHECK_FUNC(endutent, AC_DEFINE(HAVE_ENDUTENT), MISSING="${MISSING}endutent.o ")
AC_CHECK_FUNC(initgroups, AC_DEFINE(HAVE_INITGROUPS), MISSING="${MISSING}initgroups.o ")
AC_CHECK_FUNC(memcmp, AC_DEFINE(HAVE_MEMCMP), MISSING="${MISSING}memcmp.o ")
AC_CHECK_FUNC(memcpy, AC_DEFINE(HAVE_MEMCPY), MISSING="${MISSING}memcpy.o "; AC_CHECK_FUNCS(bcopy))
AC_CHECK_FUNC(memset, AC_DEFINE(HAVE_MEMSET), MISSING="${MISSING}memset.o "; AC_CHECK_FUNCS(bzero))
AC_CHECK_FUNC(getcwd, AC_DEFINE(HAVE_GETCWD), MISSING="${MISSING}getcwd.o "; AC_CHECK_FUNCS(getwd))
AC_CHECK_FUNC(getenv, AC_DEFINE(HAVE_GETENV), MISSING="${MISSING}env.o ")
AC_CHECK_FUNC(getutline, AC_DEFINE(HAVE_GETUTLINE), MISSING="${MISSING}getutline.o "; AC_CHECK_FUNCS(ttyslot))
AC_CHECK_FUNC(pututline, AC_DEFINE(HAVE_PUTUTLINE), MISSING="${MISSING}pututline.o "; AC_CHECK_FUNCS(ttyslot))
AC_CHECK_FUNC(setenv, AC_DEFINE(HAVE_SETENV), MISSING="${MISSING}env.o ")
AC_CHECK_FUNC(setegid, AC_DEFINE(HAVE_SETEGID), MISSING="${MISSING}setegid.o "; AC_CHECK_FUNCS(setregid setresgid))
AC_CHECK_FUNC(seteuid, AC_DEFINE(HAVE_SETEUID), MISSING="${MISSING}seteuid.o "; AC_CHECK_FUNCS(setreuid setresuid))
AC_CHECK_FUNC(setutent, AC_DEFINE(HAVE_SETUTENT), MISSING="${MISSING}setutent.o ")
AC_CHECK_FUNC(sigprocmask, AC_DEFINE(HAVE_SIGPROCMASK), MISSING="${MISSING}sigprocmask.o "; AC_CHECK_FUNCS(sigblock sigsetmask))
AC_CHECK_FUNC(strchr, AC_DEFINE(HAVE_STRCHR), MISSING="${MISSING}strchr.o "; AC_CHECK_FUNCS(index))
AC_CHECK_FUNC(strrchr, AC_DEFINE(HAVE_STRRCHR), MISSING="${MISSING}strrchr.o "; AC_CHECK_FUNCS(rindex))
AC_CHECK_FUNC(strtoul, AC_DEFINE(HAVE_STRTOUL), MISSING="${MISSING}strtoul.o ")
AC_CHECK_FUNC(sysconf, AC_DEFINE(HAVE_SYSCONF), MISSING="${MISSING}sysconf.o "; AC_CHECK_FUNCS(getdtablesize))
AC_CHECK_FUNC(uname, AC_DEFINE(HAVE_UNAME), MISSING="${MISSING}uname.o "; AC_CHECK_FUNCS(gethostname))
AC_CHECK_FUNC(unsetenv, AC_DEFINE(HAVE_UNSETENV), MISSING="${MISSING}env.o ")
AC_SUBST(MISSING)
AC_MSG_CHECKING(for nonstandard gettimeofday)
AC_TRY_COMPILE([
#if HAVE_SYS_TIME_H
#include <sys/time.h>
#endif /* HAVE_SYS_TIME_H */
#if HAVE_UNISTD_H
#include <unistd.h>
#endif /* HAVE_UNISTD_H */
],
[struct timeval tv;
gettimeofday(&tv, NULL)], AC_MSG_RESULT(no), AC_MSG_RESULT(maybe) AC_TRY_COMPILE([
#if HAVE_SYS_TIME_H
#include <sys/time.h>
#endif /* HAVE_SYS_TIME_H */
#if HAVE_UNISTD_H
#include <unistd.h>
#endif /* HAVE_UNISTD_H */
],
[struct timeval tv;
gettimeofday(&tv)], AC_DEFINE(HAVE_ONE_ARG_GETTIMEOFDAY) AC_MSG_RESULT(yes), AC_MSG_RESULT(no)))
# Munge out LOCALBIN and LOCALMAN in canonical (no bletch) form
AC_OUTPUT(configure.munger libmissing/Makefile libopie/Makefile Makefile.munge:Makefile.in)
sh configure.munger

16
contrib/opie/configure.munger.in
View File

@ -1,16 +0,0 @@
prefix=@prefix@
exec_prefix=@exec_prefix@
bindir=@bindir@
mandir=@mandir@
LOCALBIN=$bindir
LOCALMAN=$mandir
echo ""
echo "Binaries are going to be installed into $LOCALBIN,"
echo "Manual pages are going to be installed into $LOCALMAN."
echo ""
echo "creating Makefile"
cat Makefile.munge | sed s:@LOCALMAN@:$LOCALMAN:g | sed s:@LOCALBIN@:$LOCALBIN:g > Makefile
echo ""
echo "Have you read the README file?"

1290
contrib/opie/ftpcmd.y
View File

File diff suppressed because it is too large Load Diff

668
contrib/opie/glob.c
View File

@ -1,668 +0,0 @@
/* glob.c: The csh et al glob pattern matching routines.
%%% copyright-cmetz-96
This software is Copyright 1996-2001 by Craig Metz, All Rights Reserved.
The Inner Net License Version 3 applies to this software.
You should have received a copy of the license with this software. If
you didn't get a copy, you may request one from <license@inner.net>.
Portions of this software are Copyright 1995 by Randall Atkinson and Dan
McDonald, All Rights Reserved. All Rights under this copyright are assigned
to the U.S. Naval Research Laboratory (NRL). The NRL Copyright Notice and
License Agreement applies to this software.
History:
Modified by cmetz for OPIE 2.32. Remove include of dirent.h here; it's
done already (and conditionally) in opie_cfg.h.
Modified by cmetz for OPIE 2.2. Use FUNCTION declaration et al.
Remove useless strings. Prototype right.
Modified at NRL for OPIE 2.0.
Originally from BSD.
*/
/*
* Copyright (c) 1980 Regents of the University of California.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. All advertising materials mentioning features or use of this software
* must display the following acknowledgement:
* This product includes software developed by the University of
* California, Berkeley and its contributors.
* 4. Neither the name of the University nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
/*
* C-shell glob for random programs.
*/
#include "opie_cfg.h"
#if HAVE_SYS_PARAM_H
#include <sys/param.h>
#endif /* HAVE_SYS_PARAM_H */
#include <sys/stat.h>
#if HAVE_PWD_H
#include <pwd.h>
#endif /* HAVE_PWD_H */
#include <errno.h>
#include <stdio.h>
#include <string.h>
#if HAVE_LIMITS_H
#include <limits.h>
#endif /* HAVE_LIMITS_H */
#include "opie.h"
#ifndef NCARGS
#define NCARGS 600
#endif /* NCARGS */
#define QUOTE 0200
#define TRIM 0177
#define eq(a,b) (strcmp((a),(b)) == (0))
#define GAVSIZ (NCARGS/6)
#define isdir(d) (((d.st_mode) & S_IFMT) == S_IFDIR)
static char **gargv; /* Pointer to the (stack) arglist */
static int gargc; /* Number args in gargv */
static int gnleft;
static short gflag;
static int letter __P((register char));
static int digit __P((register char));
static int any __P((int, char *));
static int blklen __P((register char **));
VOIDRET blkfree __P((char **));
static char *strspl __P((register char *, register char *));
static int tglob __P((register char c));
extern int errno;
static char *strend __P((char *));
static int globcnt;
static char *globchars = "`{[*?";
char *globerr = NULL;
char *home = NULL;
static char *gpath, *gpathp, *lastgpathp;
static int globbed;
static char *entp;
static char **sortbas;
static int amatch __P((char *p, char *s));
static int execbrc __P((register char *p, register char *s));
VOIDRET opiefatal __P((char *));
char **copyblk __P((char **));
static int match FUNCTION((s, p), char *s AND char *p)
{
register int c;
register char *sentp;
char sglobbed = globbed;
if (*s == '.' && *p != '.')
return (0);
sentp = entp;
entp = s;
c = amatch(s, p);
entp = sentp;
globbed = sglobbed;
return (c);
}
static int Gmatch FUNCTION((s, p), register char *s AND register char *p)
{
register int scc;
int ok, lc;
int c, cc;
for (;;) {
scc = *s++ & TRIM;
switch (c = *p++) {
case '[':
ok = 0;
lc = 077777;
while (cc = *p++) {
if (cc == ']') {
if (ok)
break;
return (0);
}
if (cc == '-') {
if (lc <= scc && scc <= *p++)
ok++;
} else
if (scc == (lc = cc))
ok++;
}
if (cc == 0)
if (ok)
p--;
else
return 0;
continue;
case '*':
if (!*p)
return (1);
for (s--; *s; s++)
if (Gmatch(s, p))
return (1);
return (0);
case 0:
return (scc == 0);
default:
if ((c & TRIM) != scc)
return (0);
continue;
case '?':
if (scc == 0)
return (0);
continue;
}
}
}
static VOIDRET Gcat FUNCTION((s1, s2), register char *s1 AND register char *s2)
{
register int len = strlen(s1) + strlen(s2) + 1;
if (len >= gnleft || gargc >= GAVSIZ - 1)
globerr = "Arguments too long";
else {
gargc++;
gnleft -= len;
gargv[gargc] = 0;
gargv[gargc - 1] = strspl(s1, s2);
}
}
static VOIDRET addpath FUNCTION((c), char c)
{
if (gpathp >= lastgpathp)
globerr = "Pathname too long";
else {
*gpathp++ = c;
*gpathp = 0;
}
}
static VOIDRET rscan FUNCTION((t, f), register char **t AND int (*f)__P((char)))
{
register char *p, c;
while (p = *t++) {
if (f == tglob)
if (*p == '~')
gflag |= 2;
else
if (eq(p, "{") || eq(p, "{}"))
continue;
while (c = *p++)
(*f) (c);
}
}
static int tglob FUNCTION((c), register char c)
{
if (any(c, globchars))
gflag |= c == '{' ? 2 : 1;
return (c);
}
static int letter FUNCTION((c), register char c)
{
return (c >= 'a' && c <= 'z' || c >= 'A' && c <= 'Z' || c == '_');
}
static int digit FUNCTION((c), register char c)
{
return (c >= '0' && c <= '9');
}
static int any FUNCTION((c, s), int c AND char *s)
{
while (*s)
if (*s++ == c)
return (1);
return (0);
}
static int blklen FUNCTION((av), register char **av)
{
register int i = 0;
while (*av++)
i++;
return (i);
}
static char **blkcpy FUNCTION((oav, bv), char **oav AND register char **bv)
{
register char **av = oav;
while (*av++ = *bv++)
continue;
return (oav);
}
VOIDRET blkfree FUNCTION((av0), char **av0)
{
register char **av = av0;
while (*av)
free(*av++);
}
static char *strspl FUNCTION((cp, dp), register char *cp AND register char *dp)
{
register char *ep = (char *) malloc((unsigned) (strlen(cp) +
strlen(dp) + 1));
if (ep == (char *) 0)
opiefatal("Out of memory");
strcpy(ep, cp);
strcat(ep, dp);
return (ep);
}
char **copyblk FUNCTION((v), char **v)
{
register char **nv = (char **) malloc((unsigned) ((blklen(v) + 1) *
sizeof(char **)));
if (nv == (char **) 0)
opiefatal("Out of memory");
return (blkcpy(nv, v));
}
static char *strend FUNCTION((cp), register char *cp)
{
while (*cp)
cp++;
return (cp);
}
/*
* Extract a home directory from the password file
* The argument points to a buffer where the name of the
* user whose home directory is sought is currently.
* We write the home directory of the user back there.
*/
static int gethdir FUNCTION((home), char *home)
{
register struct passwd *pp = getpwnam(home);
if (!pp || home + strlen(pp->pw_dir) >= lastgpathp)
return (1);
strcpy(home, pp->pw_dir);
return (0);
}
static VOIDRET ginit FUNCTION((agargv), char **agargv)
{
agargv[0] = 0;
gargv = agargv;
sortbas = agargv;
gargc = 0;
gnleft = NCARGS - 4;
}
static VOIDRET sort FUNCTION_NOARGS
{
register char **p1, **p2, *c;
char **Gvp = &gargv[gargc];
p1 = sortbas;
while (p1 < Gvp - 1) {
p2 = p1;
while (++p2 < Gvp)
if (strcmp(*p1, *p2) > 0)
c = *p1, *p1 = *p2, *p2 = c;
p1++;
}
sortbas = Gvp;
}
static VOIDRET matchdir FUNCTION((pattern), char *pattern)
{
struct stat stb;
register struct dirent *dp;
DIR *dirp;
dirp = opendir(*gpath == '\0' ? "." : gpath);
if (dirp == NULL) {
if (globbed)
return;
goto patherr2;
}
#if !defined(linux)
if (fstat(dirp->dd_fd, &stb) < 0)
goto patherr1;
if (!isdir(stb)) {
errno = ENOTDIR;
goto patherr1;
}
#endif /* !defined(linux) */
while ((dp = readdir(dirp)) != NULL) {
if (dp->d_ino == 0)
continue;
if (match(dp->d_name, pattern)) {
Gcat(gpath, dp->d_name);
globcnt++;
}
}
closedir(dirp);
return;
patherr1:
closedir(dirp);
patherr2:
globerr = "Bad directory components";
}
static VOIDRET expand FUNCTION((as), char *as)
{
register char *cs;
register char *sgpathp, *oldcs;
struct stat stb;
sgpathp = gpathp;
cs = as;
if (*cs == '~' && gpathp == gpath) {
addpath('~');
for (cs++; letter(*cs) || digit(*cs) || *cs == '-';)
addpath(*cs++);
if (!*cs || *cs == '/') {
if (gpathp != gpath + 1) {
*gpathp = 0;
if (gethdir(gpath + 1))
globerr = "Unknown user name after ~";
strcpy(gpath, gpath + 1);
} else
strcpy(gpath, home);
gpathp = strend(gpath);
}
}
while (!any(*cs, globchars)) {
if (*cs == 0) {
if (!globbed)
Gcat(gpath, "");
else
if (stat(gpath, &stb) >= 0) {
Gcat(gpath, "");
globcnt++;
}
goto endit;
}
addpath(*cs++);
}
oldcs = cs;
while (cs > as && *cs != '/')
cs--, gpathp--;
if (*cs == '/')
cs++, gpathp++;
*gpathp = 0;
if (*oldcs == '{') {
execbrc(cs, ((char *) 0));
return;
}
matchdir(cs);
endit:
gpathp = sgpathp;
*gpathp = 0;
}
static int execbrc FUNCTION((p, s), char *p AND char *s)
{
char restbuf[BUFSIZ + 2];
register char *pe, *pm, *pl;
int brclev = 0;
char *lm, savec, *sgpathp;
for (lm = restbuf; *p != '{'; *lm++ = *p++)
continue;
for (pe = ++p; *pe; pe++)
switch (*pe) {
case '{':
brclev++;
continue;
case '}':
if (brclev == 0)
goto pend;
brclev--;
continue;
case '[':
for (pe++; *pe && *pe != ']'; pe++)
continue;
continue;
}
pend:
brclev = 0;
for (pl = pm = p; pm <= pe; pm++)
switch (*pm & (QUOTE | TRIM)) {
case '{':
brclev++;
continue;
case '}':
if (brclev) {
brclev--;
continue;
}
goto doit;
case ',' | QUOTE:
case ',':
if (brclev)
continue;
doit:
savec = *pm;
*pm = 0;
strcpy(lm, pl);
strcat(restbuf, pe + 1);
*pm = savec;
if (s == 0) {
sgpathp = gpathp;
expand(restbuf);
gpathp = sgpathp;
*gpathp = 0;
} else
if (amatch(s, restbuf))
return (1);
sort();
pl = pm + 1;
if (brclev)
return (0);
continue;
case '[':
for (pm++; *pm && *pm != ']'; pm++)
continue;
if (!*pm)
pm--;
continue;
}
if (brclev)
goto doit;
return (0);
}
static VOIDRET acollect FUNCTION((as), register char *as)
{
register int ogargc = gargc;
gpathp = gpath;
*gpathp = 0;
globbed = 0;
expand(as);
if (gargc != ogargc)
sort();
}
static VOIDRET collect FUNCTION((as), register char *as)
{
if (eq(as, "{") || eq(as, "{}")) {
Gcat(as, "");
sort();
} else
acollect(as);
}
static int amatch FUNCTION((s, p), register char *s AND register char *p)
{
register int scc;
int ok, lc;
char *sgpathp;
struct stat stb;
int c, cc;
globbed = 1;
for (;;) {
scc = *s++ & TRIM;
switch (c = *p++) {
case '{':
return (execbrc(p - 1, s - 1));
case '[':
ok = 0;
lc = 077777;
while (cc = *p++) {
if (cc == ']') {
if (ok)
break;
return (0);
}
if (cc == '-') {
if (lc <= scc && scc <= *p++)
ok++;
} else
if (scc == (lc = cc))
ok++;
}
if (cc == 0)
if (ok)
p--;
else
return 0;
continue;
case '*':
if (!*p)
return (1);
if (*p == '/') {
p++;
goto slash;
}
s--;
do {
if (amatch(s, p))
return (1);
}
while (*s++);
return (0);
case 0:
return (scc == 0);
default:
if (c != scc)
return (0);
continue;
case '?':
if (scc == 0)
return (0);
continue;
case '/':
if (scc)
return (0);
slash:
s = entp;
sgpathp = gpathp;
while (*s)
addpath(*s++);
addpath('/');
if (stat(gpath, &stb) == 0 && isdir(stb))
if (*p == 0) {
Gcat(gpath, "");
globcnt++;
} else
expand(p);
gpathp = sgpathp;
*gpathp = 0;
return (0);
}
}
}
char **ftpglob FUNCTION((v), register char *v)
{
char agpath[BUFSIZ];
char *agargv[GAVSIZ];
char *vv[2];
vv[0] = v;
vv[1] = 0;
gflag = 0;
rscan(vv, tglob);
if (gflag == 0) {
vv[0] = strspl(v, "");
return (copyblk(vv));
}
globerr = 0;
gpath = agpath;
gpathp = gpath;
*gpathp = 0;
lastgpathp = &gpath[sizeof agpath - 2];
ginit(agargv);
globcnt = 0;
collect(v);
if (globcnt == 0 && (gflag & 1)) {
blkfree(gargv), gargv = 0;
return (0);
} else
return (gargv = copyblk(gargv));
}

238
contrib/opie/install-sh
View File

@ -1,238 +0,0 @@
#! /bin/sh
#
# install - install a program, script, or datafile
# This comes from X11R5.
#
# Calling this script install-sh is preferred over install.sh, to prevent
# `make' implicit rules from creating a file called install from it
# when there is no Makefile.
#
# This script is compatible with the BSD install script, but was written
# from scratch.
#
# set DOITPROG to echo to test this script
# Don't use :- since 4.3BSD and earlier shells don't like it.
doit="${DOITPROG-}"
# put in absolute paths if you don't have them in your path; or use env. vars.
mvprog="${MVPROG-mv}"
cpprog="${CPPROG-cp}"
chmodprog="${CHMODPROG-chmod}"
chownprog="${CHOWNPROG-chown}"
chgrpprog="${CHGRPPROG-chgrp}"
stripprog="${STRIPPROG-strip}"
rmprog="${RMPROG-rm}"
mkdirprog="${MKDIRPROG-mkdir}"
tranformbasename=""
transform_arg=""
instcmd="$mvprog"
chmodcmd="$chmodprog 0755"
chowncmd=""
chgrpcmd=""
stripcmd=""
rmcmd="$rmprog -f"
mvcmd="$mvprog"
src=""
dst=""
dir_arg=""
while [ x"$1" != x ]; do
case $1 in
-c) instcmd="$cpprog"
shift
continue;;
-d) dir_arg=true
shift
continue;;
-m) chmodcmd="$chmodprog $2"
shift
shift
continue;;
-o) chowncmd="$chownprog $2"
shift
shift
continue;;
-g) chgrpcmd="$chgrpprog $2"
shift
shift
continue;;
-s) stripcmd="$stripprog"
shift
continue;;
-t=*) transformarg=`echo $1 | sed 's/-t=//'`
shift
continue;;
-b=*) transformbasename=`echo $1 | sed 's/-b=//'`
shift
continue;;
*) if [ x"$src" = x ]
then
src=$1
else
# this colon is to work around a 386BSD /bin/sh bug
:
dst=$1
fi
shift
continue;;
esac
done
if [ x"$src" = x ]
then
echo "install: no input file specified"
exit 1
else
true
fi
if [ x"$dir_arg" != x ]; then
dst=$src
src=""
if [ -d $dst ]; then
instcmd=:
else
instcmd=mkdir
fi
else
# Waiting for this to be detected by the "$instcmd $src $dsttmp" command
# might cause directories to be created, which would be especially bad
# if $src (and thus $dsttmp) contains '*'.
if [ -f $src -o -d $src ]
then
true
else
echo "install: $src does not exist"
exit 1
fi
if [ x"$dst" = x ]
then
echo "install: no destination specified"
exit 1
else
true
fi
# If destination is a directory, append the input filename; if your system
# does not like double slashes in filenames, you may need to add some logic
if [ -d $dst ]
then
dst="$dst"/`basename $src`
else
true
fi
fi
## this sed command emulates the dirname command
dstdir=`echo $dst | sed -e 's,[^/]*$,,;s,/$,,;s,^$,.,'`
# Make sure that the destination directory exists.
# this part is taken from Noah Friedman's mkinstalldirs script
# Skip lots of stat calls in the usual case.
if [ ! -d "$dstdir" ]; then
defaultIFS='
'
IFS="${IFS-${defaultIFS}}"
oIFS="${IFS}"
# Some sh's can't handle IFS=/ for some reason.
IFS='%'
set - `echo ${dstdir} | sed -e 's@/@%@g' -e 's@^%@/@'`
IFS="${oIFS}"
pathcomp=''
while [ $# -ne 0 ] ; do
pathcomp="${pathcomp}${1}"
shift
if [ ! -d "${pathcomp}" ] ;
then
$mkdirprog "${pathcomp}"
else
true
fi
pathcomp="${pathcomp}/"
done
fi
if [ x"$dir_arg" != x ]
then
$doit $instcmd $dst &&
if [ x"$chowncmd" != x ]; then $doit $chowncmd $dst; else true ; fi &&
if [ x"$chgrpcmd" != x ]; then $doit $chgrpcmd $dst; else true ; fi &&
if [ x"$stripcmd" != x ]; then $doit $stripcmd $dst; else true ; fi &&
if [ x"$chmodcmd" != x ]; then $doit $chmodcmd $dst; else true ; fi
else
# If we're going to rename the final executable, determine the name now.
if [ x"$transformarg" = x ]
then
dstfile=`basename $dst`
else
dstfile=`basename $dst $transformbasename |
sed $transformarg`$transformbasename
fi
# don't allow the sed command to completely eliminate the filename
if [ x"$dstfile" = x ]
then
dstfile=`basename $dst`
else
true
fi
# Make a temp file name in the proper directory.
dsttmp=$dstdir/#inst.$$#
# Move or copy the file name to the temp name
$doit $instcmd $src $dsttmp &&
trap "rm -f ${dsttmp}" 0 &&
# and set any options; do chmod last to preserve setuid bits
# If any of these fail, we abort the whole thing. If we want to
# ignore errors from any of these, just make sure not to ignore
# errors from the above "$doit $instcmd $src $dsttmp" command.
if [ x"$chowncmd" != x ]; then $doit $chowncmd $dsttmp; else true;fi &&
if [ x"$chgrpcmd" != x ]; then $doit $chgrpcmd $dsttmp; else true;fi &&
if [ x"$stripcmd" != x ]; then $doit $stripcmd $dsttmp; else true;fi &&
if [ x"$chmodcmd" != x ]; then $doit $chmodcmd $dsttmp; else true;fi &&
# Now rename the file to the real destination.
$doit $rmcmd -f $dstdir/$dstfile &&
$doit $mvcmd $dsttmp $dstdir/$dstfile
fi &&
exit 0

34
contrib/opie/libmissing/Makefile.in
View File

@ -1,34 +0,0 @@
##
# Makefile.in/Makefile: Directions for building libmissing.
#
# %%% copyright-cmetz-96
# This software is Copyright 1996-2001 by Craig Metz, All Rights Reserved.
# The Inner Net License Version 3 applies to this software.
# You should have received a copy of the license with this software. If
# you didn't get a copy, you may request one from <license@inner.net>.
#
# History:
#
# Modified by cmetz for OPIE 2.4. Add current dir to include header path.
# Use ar 'cr' instead of 'r'. Renamed realclean to distclean.
# Created by cmetz for OPIE 2.3 using old Makefiles as a guide.
OBJS=bogus.o @MISSING@
CC=@CC@
CFLAGS=$(CFL) -I.. -I.
TARGET=libmissing.a
all: $(TARGET)
$(TARGET): $(OBJS)
@AR@ @ARFLAGS@ $(TARGET) $(OBJS)
@RANLIB@ $(TARGET)
clean:
-rm -f $(OBJS) $(TARGET)
realclean: distclean
distclean: clean
-rm -f *~ core* "\#*\#" *.o *.a Makefile

1
contrib/opie/libmissing/bogus.c
View File

@ -1 +0,0 @@
int _bogus;

19
contrib/opie/libmissing/endutent.c
View File

@ -1,19 +0,0 @@
/* endutent.c: A replacement for the endutent function
%%% copyright-cmetz-96
This software is Copyright 1996-2001 by Craig Metz, All Rights Reserved.
The Inner Net License Version 3 applies to this software.
You should have received a copy of the license with this software. If
you didn't get a copy, you may request one from <license@inner.net>.
History:
Modified by cmetz for OPIE 2.31. Use VOIDRET macro.
Created by cmetz for OPIE 2.3.
*/
#include "opie_cfg.h"
#include "opie.h"
VOIDRET endutent FUNCTION_NOARGS
{
}

63
contrib/opie/libmissing/getutline.c
View File

@ -1,63 +0,0 @@
/* getutline.c: A replacement for the getutline() function
%%% copyright-cmetz-96
This software is Copyright 1996-2001 by Craig Metz, All Rights Reserved.
The Inner Net License Version 3 applies to this software.
You should have received a copy of the license with this software. If
you didn't get a copy, you may request one from <license@inner.net>.
History:
Modified by cmetz for OPIE 2.32. Fixed check for fread() return
value.
Modified by cmetz for OPIE 2.31. If the OS won't tell us where
_PATH_UTMP is, play the SVID game, then use
Autoconf-discovered values.
Created by cmetz for OPIE 2.3.
*/
#include "opie_cfg.h"
#include <stdio.h>
#include <utmp.h>
#include "opie.h"
static struct utmp u;
#ifndef _PATH_UTMP
#ifdef UTMP_FILE
#define _PATH_UTMP UTMP_FILE
#else /* UTMP_FILE */
#define _PATH_UTMP PATH_UTMP_AC
#endif /* UTMP_FILE */
#endif /* _PATH_UTMP */
struct utmp *getutline FUNCTION((utmp), struct utmp *utmp)
{
FILE *f;
int i;
if (!(f = __opieopen(_PATH_UTMP, 0, 0644)))
return 0;
#if HAVE_TTYSLOT
if (i = ttyslot()) {
if (fseek(f, i * sizeof(struct utmp), SEEK_SET) < 0)
goto ret;
if (fread(&u, sizeof(struct utmp), 1, f) != 1)
goto ret;
fclose(f);
return &u;
}
#endif /* HAVE_TTYSLOT */
while(fread(&u, sizeof(struct utmp), 1, f) == 1) {
if (!strncmp(utmp->ut_line, u.ut_line, sizeof(u.ut_line) - 1)) {
fclose(f);
return &u;
}
}
ret:
fclose(f);
return NULL;
}

64
contrib/opie/libmissing/pututline.c
View File

@ -1,64 +0,0 @@
/* pututline.c: A replacement for the pututline() function
%%% copyright-cmetz-96
This software is Copyright 1996-2001 by Craig Metz, All Rights Reserved.
The Inner Net License Version 3 applies to this software.
You should have received a copy of the license with this software. If
you didn't get a copy, you may request one from <license@inner.net>.
History:
Modified by cmetz for OPIE 2.32. Fixed check for fread() return
value.
Modified by cmetz for OPIE 2.31. If the OS won't tell us where
_PATH_UTMP is, use Autoconf-discovered values.
Created by cmetz for OPIE 2.3.
*/
#include "opie_cfg.h"
#include <stdio.h>
#include <utmp.h>
#include "opie.h"
#ifndef _PATH_UTMP
#define _PATH_UTMP PATH_UTMP_AC
#endif /* _PATH_UTMP */
void pututline FUNCTION((utmp), struct utmp *utmp)
{
FILE *f;
struct utmp u;
int i;
if (!(f = __opieopen(_PATH_UTMP, 1, 0644)))
return;
#if HAVE_TTYSLOT
if (i = ttyslot()) {
if (fseek(f, i * sizeof(struct utmp), SEEK_SET) < 0)
goto ret;
fwrite(utmp, sizeof(struct utmp), 1, f);
goto ret;
}
#endif /* HAVE_TTYSLOT */
while(fread(&u, sizeof(struct utmp), 1, f) == 1) {
if (!strncmp(utmp->ut_line, u.ut_line, sizeof(u.ut_line) - 1)) {
if ((i = ftell(f)) < 0)
goto ret;
if (fseek(f, i - sizeof(struct utmp), SEEK_SET) < 0)
goto ret;
fwrite(utmp, sizeof(struct utmp), 1, f);
goto ret;
}
}
fclose(f);
if (!(f = __opieopen(_PATH_UTMP, 2, 0644)))
return;
fwrite(utmp, sizeof(struct utmp), 1, f);
ret:
fclose(f);
}

18
contrib/opie/libmissing/setutent.c
View File

@ -1,18 +0,0 @@
/* setutent.c: A replacement for the setutent function
%%% copyright-cmetz-96
This software is Copyright 1996-2001 by Craig Metz, All Rights Reserved.
The Inner Net License Version 3 applies to this software.
You should have received a copy of the license with this software. If
you didn't get a copy, you may request one from <license@inner.net>.
History:
Created by cmetz for OPIE 2.31.
*/
#include "opie_cfg.h"
#include "opie.h"
VOIDRET setutent FUNCTION_NOARGS
{
}

35
contrib/opie/libopie/Makefile.in
View File

@ -1,35 +0,0 @@
##
# Makefile.in/Makefile: Directions for building libopie.
#
# %%% copyright-cmetz-96
# This software is Copyright 1996-2001 by Craig Metz, All Rights Reserved.
# The Inner Net License Version 3 applies to this software.
# You should have received a copy of the license with this software. If
# you didn't get a copy, you may request one from <license@inner.net>.
#
# History:
#
# Modified by cmetz for OPIE 2.4. Add libmissing to include header path.
# Use ar 'cr' instead of 'r'. Renamed realclean to distclean.
# Modified by cmetz for OPIE 2.31. Added logwtmp.o
# Created by cmetz for OPIE 2.3 using old Makefiles as a guide.
OBJS=md4c.o md5c.o atob8.o btoa8.o btoh.o challenge.o getsequence.o hash.o hashlen.o keycrunch.o lock.o lookup.o newseed.o parsechallenge.o passcheck.o passwd.o randomchallenge.o readpass.o unlock.o verify.o version.o btoe.o accessfile.o generator.o insecure.o getutmpentry.o readrec.o writerec.o login.o open.o logwtmp.o # sha.o
CC=@CC@
CFLAGS=$(CFL) -I.. -I../libmissing
TARGET=libopie.a
all: $(TARGET)
$(TARGET): $(OBJS)
@AR@ @ARFLAGS@ $(TARGET) $(OBJS)
@RANLIB@ $(TARGET)
clean:
-rm -f $(OBJS) $(TARGET)
realclean: distclean
distclean: clean
-rm -f *~ core* "\#*\#" *.o *.a Makefile

171
contrib/opie/libopie/accessfile.c
View File

@ -1,171 +0,0 @@
/* accessfile.c: Handle trusted network access file and per-user
overrides.
%%% portions-copyright-cmetz-96
Portions of this software are Copyright 1996-1999 by Craig Metz, All Rights
Reserved. The Inner Net License Version 2 applies to these portions of
the software.
You should have received a copy of the license with this software. If
you didn't get a copy, you may request one from <license@inner.net>.
Portions of this software are Copyright 1995 by Randall Atkinson and Dan
McDonald, All Rights Reserved. All Rights under this copyright are assigned
to the U.S. Naval Research Laboratory (NRL). The NRL Copyright Notice and
License Agreement applies to this software.
History:
Modified by cmetz for OPIE 2.31. Include syslog.h on debug.
Modified by cmetz for OPIE 2.3. Send debug info to syslog.
Modified by cmetz for OPIE 2.2. Use FUNCTION declaration et al.
Ifdef around some headers. Remove extra semicolon.
Modified at NRL for OPIE 2.2. Moved from accessfile.c to
libopie/opieaccessfile.c.
Modified at NRL for OPIE 2.0.
Written at Bellcore for the S/Key Version 1 software distribution
(login.c).
*/
#include "opie_cfg.h"
#include <stdio.h>
#include <ctype.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>
#if HAVE_STRING_H
#include <string.h>
#endif /* HAVE_STRING_H */
#if HAVE_UNISTD_H
#include <unistd.h>
#endif /* HAVE_UNISTD_H */
#if HAVE_STDLIB_H
#include <stdlib.h>
#endif /* HAVE_STDLIB_H */
#ifdef DEBUG
#include <syslog.h>
#endif /* DEBUG */
#include "opie.h"
int opieaccessfile FUNCTION((host), char *host)
{
#ifdef PATH_ACCESS_FILE
/* Turn host into an IP address and then look it up in the authorization
* database to determine if ordinary password logins are OK
*/
long n;
struct hostent *hp;
FILE *fp;
char buf[128], **lp;
#ifdef DEBUG
syslog(LOG_DEBUG, "accessfile: host=%s", host);
#endif /* DEBUG */
if (!host[0])
/* Local login, okay */
return (1);
if (isaddr(host)) {
n = inet_addr(host);
return rdnets(n);
} else {
hp = gethostbyname(host);
if (!hp) {
printf("Unknown host %s\n", host);
return 0;
}
for (lp = hp->h_addr_list; *lp; lp++) {
memcpy((char *) &n, *lp, sizeof(n));
if (rdnets(n))
return (1);
}
return (0);
}
}
int rdnets FUNCTION((host), long host)
{
FILE *fp;
char buf[128], *cp;
long pattern, mask;
int permit_it;
if (!(fp = fopen(PATH_ACCESS_FILE, "r")))
return 0;
while (fgets(buf, sizeof(buf), fp), !feof(fp)) {
if (buf[0] == '#')
continue; /* Comment */
if (!(cp = strtok(buf, " \t")))
continue;
/* two choices permit of deny */
if (strncasecmp(cp, "permit", 4) == 0) {
permit_it = 1;
} else {
if (strncasecmp(cp, "deny", 4) == 0) {
permit_it = 0;
} else {
continue; /* ignore; it is not permit/deny */
}
}
if (!(cp = strtok(NULL, " \t")))
continue; /* Invalid line */
pattern = inet_addr(cp);
if (!(cp = strtok(NULL, " \t")))
continue; /* Invalid line */
mask = inet_addr(cp);
#ifdef DEBUG
syslog(LOG_DEBUG, "accessfile: %08x & %08x == %08x (%s)", host, mask, pattern, ((host & mask) == pattern) ? "true" : "false");
#endif /* DEBUG */
if ((host & mask) == pattern) {
fclose(fp);
return permit_it;
}
}
fclose(fp);
return 0;
}
/* Return TRUE if string appears to be an IP address in dotted decimal;
* return FALSE otherwise (i.e., if string is a domain name)
*/
int isaddr FUNCTION((s), register char *s)
{
char c;
if (!s)
return 1; /* Can't happen */
while ((c = *s++) != '\0') {
if (c != '[' && c != ']' && !isdigit(c) && c != '.')
return 0;
}
return 1;
#else /* PATH_ACCESS_FILE */
return !host[0];
#endif /* PATH_ACCESS_FILE */
}
/* Returns the opposite of what you might expect */
/* Returns 1 on error (allow)... this might not be what you want */
int opiealways FUNCTION((homedir), char *homedir)
{
char *opiealwayspath;
int i;
if (!homedir)
return 1;
if (!(opiealwayspath = malloc(strlen(homedir) + sizeof(OPIE_ALWAYS_FILE) + 1)))
return 1;
strcpy(opiealwayspath, homedir);
strcat(opiealwayspath, "/");
strcat(opiealwayspath, OPIE_ALWAYS_FILE);
i = access(opiealwayspath, F_OK);
free(opiealwayspath);
return (i);
}

76
contrib/opie/libopie/atob8.c
View File

@ -1,76 +0,0 @@
/* atob8.c: The opieatob8() library function.
%%% portions-copyright-cmetz-96
Portions of this software are Copyright 1996-1999 by Craig Metz, All Rights
Reserved. The Inner Net License Version 2 applies to these portions of
the software.
You should have received a copy of the license with this software. If
you didn't get a copy, you may request one from <license@inner.net>.
Portions of this software are Copyright 1995 by Randall Atkinson and Dan
McDonald, All Rights Reserved. All Rights under this copyright are assigned
to the U.S. Naval Research Laboratory (NRL). The NRL Copyright Notice and
License Agreement applies to this software.
History:
Modified by cmetz for OPIE 2.4. Use struct opie_otpkey for binary arg.
Modified by cmetz for OPIE 2.3. Return the output variable.
Don't check parameters.
Modified by cmetz for OPIE 2.2. Use FUNCTION declaration et al.
Inlined and obseleted opieskipspace(). Inlined and obseleted
opiehtoi().
Created at NRL for OPIE 2.2 from opiesubr2.c
*/
#include "opie_cfg.h"
#include <stdio.h>
#include "opie.h"
/* Convert 8-byte hex-ascii string to binary array
*/
char *opieatob8 FUNCTION((out, in), struct opie_otpkey *outkey AND char *in)
{
register int i;
register int val;
unsigned char *out = (unsigned char *)outkey;
for (i = 0; i < 8; i++) {
while (*in == ' ' || *in == '\t')
in++;
if (!*in)
return NULL;
if ((*in >= '0') && (*in <= '9'))
val = *(in++) - '0';
else
if ((*in >= 'a') && (*in <= 'f'))
val = *(in++) - 'a' + 10;
else
if ((*in >= 'A') && (*in <= 'F'))
val = *(in++) - 'A' + 10;
else
return NULL;
*out = val << 4;
while (*in == ' ' || *in == '\t')
in++;
if (!*in)
return NULL;
if ((*in >= '0') && (*in <= '9'))
val = *(in++) - '0';
else
if ((*in >= 'a') && (*in <= 'f'))
val = *(in++) - 'a' + 10;
else
if ((*in >= 'A') && (*in <= 'F'))
val = *(in++) - 'A' + 10;
else
return NULL;
*out++ |= val;
}
return out;
}

34
contrib/opie/libopie/btoa8.c
View File

@ -1,34 +0,0 @@
/* btoa8.c: The opiebtoa8() library function.
%%% copyright-cmetz-96
This software is Copyright 1996-2001 by Craig Metz, All Rights Reserved.
The Inner Net License Version 3 applies to this software.
You should have received a copy of the license with this software. If
you didn't get a copy, you may request one from <license@inner.net>.
History:
Modified by cmetz for OPIE 2.4. Use struct opie_otpkey for binary arg.
Created by cmetz for OPIE 2.3 (quick re-write).
*/
#include "opie_cfg.h"
#include "opie.h"
static char hextochar[16] =
{'0','1','2','3','4','5','6','7','8','9','a','b','c','d','e','f'};
char *opiebtoa8 FUNCTION((out, in), char *out AND struct opie_otpkey *inkey)
{
int i;
unsigned char *in = (unsigned char *)inkey;
char *c = out;
for (i = 0; i < 8; i++) {
*(c++) = hextochar[((*in) >> 4) & 0x0f];
*(c++) = hextochar[(*in++) & 0x0f];
}
*c = 0;
return out;
}

2267
contrib/opie/libopie/btoe.c
View File

File diff suppressed because it is too large Load Diff

36
contrib/opie/libopie/btoh.c
View File

@ -1,36 +0,0 @@
/* btoh.c: The opiebtoh() library function.
%%% copyright-cmetz-96
This software is Copyright 1996-2001 by Craig Metz, All Rights Reserved.
The Inner Net License Version 3 applies to this software.
You should have received a copy of the license with this software. If
you didn't get a copy, you may request one from <license@inner.net>.
History:
Created by cmetz for OPIE 2.3.
*/
#include "opie_cfg.h"
#include "opie.h"
static char hextochar[16] =
{'0','1','2','3','4','5','6','7','8','9','A','B','C','D','E','F'};
char *opiebtoh FUNCTION((out, in), char *out AND struct opie_otpkey *inkey)
{
int i;
char *c = out;
unsigned char *in = (unsigned char *)inkey;
for (i = 0; i < 4; i++) {
*(c++) = hextochar[((*in) >> 4) & 0x0f];
*(c++) = hextochar[(*in++) & 0x0f];
*(c++) = hextochar[((*in) >> 4) & 0x0f];
*(c++) = hextochar[(*in++) & 0x0f];
*(c++) = ' ';
}
*(--c) = 0;
return out;
}

79
contrib/opie/libopie/challenge.c
View File

@ -1,79 +0,0 @@
/* challenge.c: The opiechallenge() library function.
%%% portions-copyright-cmetz-96
Portions of this software are Copyright 1996-1999 by Craig Metz, All Rights
Reserved. The Inner Net License Version 2 applies to these portions of
the software.
You should have received a copy of the license with this software. If
you didn't get a copy, you may request one from <license@inner.net>.
Portions of this software are Copyright 1995 by Randall Atkinson and Dan
McDonald, All Rights Reserved. All Rights under this copyright are assigned
to the U.S. Naval Research Laboratory (NRL). The NRL Copyright Notice and
License Agreement applies to this software.
History:
Modified by cmetz for OPIE 2.32. Added extended response set
identifier to the challenge.
Modified by cmetz for OPIE 2.3. Use opie_ prefix. Send debug info to
syslog. Add sha plumbing.
Modified by cmetz for OPIE 2.2. Use FUNCTION declaration et al.
Created at NRL for OPIE 2.2 from opiesubr2.c
$FreeBSD$
*/
#include "opie_cfg.h"
#include <stdio.h>
#include <string.h>
#if DEBUG
#include <syslog.h>
#endif /* DEBUG */
#include "opie.h"
/* Return an OTP challenge string for user 'name'.
The return values are:
0 = All good
-1 = Low-level error (file, memory, I/O, etc.)
1 = High-level error (user not found or locked)
This function MUST eventually be followed by an opieverify() to release
the user lock and file handles.
This function will give you a blanked-out state block if it returns a
nonzero status. Even though it returns a non-zero status and a blank
state block, you still MUST call opieverify() to clear the lock and
any internal state (the latter condition is not actually used yet).
*/
static char *algids[] = { NULL, NULL, NULL, "sha1", "md4", "md5" };
int opiechallenge FUNCTION((mp, name, ss), struct opie *mp AND char *name AND char *ss)
{
int rval = -1;
rval = opielookup(mp, name);
#if DEBUG
if (rval) syslog(LOG_DEBUG, "opiechallenge: opielookup(mp, name=%s) returned %d", name, rval);
#endif /* DEBUG */
if (!rval) {
rval = opielock(name);
#if DEBUG
if (rval) syslog(LOG_DEBUG, "opiechallenge: opielock(name=%s) returned %d", name, rval);
#endif /* DEBUG */
}
if (rval ||
(snprintf(ss, OPIE_CHALLENGE_MAX+1, "otp-%s %d %s ext", algids[MDX], mp->opie_n - 1, mp->opie_seed) >= OPIE_CHALLENGE_MAX+1)) {
if (!rval)
rval = 1;
opierandomchallenge(ss);
memset(mp, 0, sizeof(*mp));
}
return rval;
}

398
contrib/opie/libopie/generator.c
View File

@ -1,398 +0,0 @@
/* generator.c: The opiegenerator() library function.
%%% portions-copyright-cmetz-96
Portions of this software are Copyright 1996-1999 by Craig Metz, All Rights
Reserved. The Inner Net License Version 2 applies to these portions of
the software.
You should have received a copy of the license with this software. If
you didn't get a copy, you may request one from <license@inner.net>.
History:
Modified by cmetz for OPIE 2.4. Added opieauto code based on
previously released test code. Renamed buffer to challenge.
Use struct opie_otpkey for keys.
Modified by cmetz for OPIE 2.32. If secret=NULL, always return
as if opieauto returned "get the secret". Renamed
_opieparsechallenge() to __opieparsechallenge(). Check
challenge for extended response support and don't send
an init-hex response if extended response support isn't
indicated in the challenge.
Modified by cmetz for OPIE 2.31. Renamed "init" to "init-hex".
Removed active attack protection support. Fixed fairly
bug in how init response was computed (i.e., dead wrong).
Modified by cmetz for OPIE 2.3. Use _opieparsechallenge(). ifdef
around string.h. Output hex responses by default, output
OTP re-init extended responses (same secret) if sequence
number falls below 10.
Modified by cmetz for OPIE 2.2. Use FUNCTION declaration et al.
Bug fixes.
Created at NRL for OPIE 2.2.
$FreeBSD$
*/
#include "opie_cfg.h"
#if HAVE_STRING_H
#include <string.h>
#endif /* HAVE_STRING_H */
#if OPIEAUTO
#include <errno.h>
#if HAVE_STDLIB_H
#include <stdlib.h>
#endif /* HAVE_STDLIB_H */
#include <sys/stat.h>
#include <sys/socket.h>
#include <sys/un.h>
#endif /* OPIEAUTO */
#if DEBUG
#include <syslog.h>
#endif /* DEBUG */
#include <stdio.h>
#include "opie.h"
static char *algids[] = { NULL, NULL, NULL, "sha1", "md4", "md5" };
#if OPIEAUTO
#ifndef max
#define max(x, y) (((x) > (y)) ? (x) : (y))
#endif /* max */
static int opieauto_connect FUNCTION_NOARGS
{
int s;
struct sockaddr_un sun;
char buffer[1024];
char *c, *c2 ="/.opieauto";
uid_t myuid = getuid(), myeuid = geteuid();
if (!myuid || !myeuid || (myuid != myeuid)) {
#if DEBUG
syslog(LOG_DEBUG, "opieauto_connect: superuser and/or setuid not allowed");
#endif /* DEBUG */
return -1;
};
memset(&sun, 0, sizeof(struct sockaddr_un));
sun.sun_family = AF_UNIX;
if (!(c = getenv("HOME"))) {
#if DEBUG
syslog(LOG_DEBUG, "opieauto_connect: no HOME variable?");
#endif /* DEBUG */
return -1;
};
if (strlen(c) > (sizeof(sun.sun_path) - strlen(c2) - 1)) {
#if DEBUG
syslog(LOG_DEBUG, "opieauto_connect: HOME is too long: %s", c);
#endif /* DEBUG */
return -1;
};
strcpy(sun.sun_path, c);
strcat(sun.sun_path, c2);
if ((s = socket(PF_UNIX, SOCK_STREAM, 0)) < 0) {
#if DEBUG
syslog(LOG_DEBUG, "opieauto_connect: socket: %s(%d)", strerror(errno), errno);
#endif /* DEBUG */
return -1;
};
{
struct stat st;
if (stat(sun.sun_path, &st) < 0) {
#if DEBUG
syslog(LOG_DEBUG, "opieauto_connect: stat: %s(%d)\n", strerror(errno), errno);
#endif /* DEBUG */
goto ret;
};
if (connect(s, (struct sockaddr *)&sun, sizeof(struct sockaddr_un))) {
#if DEBUG
syslog(LOG_DEBUG, "opieauto_connect: connect: %s(%d)\n", strerror(errno), errno);
#endif /* DEBUG */
goto ret;
};
if ((st.st_uid != myuid) || (!S_ISSOCK(st.st_mode)) || ((st.st_mode & 07777) != 0600)) {
#if DEBUG
syslog(LOG_DEBUG, "opieauto_connect: something's fishy about the socket\n");
#endif /* DEBUG */
goto ret;
};
};
return s;
ret:
close(s);
return -1;
};
#endif /* OPIEAUTO */
int opiegenerator FUNCTION((challenge, secret, response), char *challenge AND char *secret AND char *response)
{
int algorithm;
int sequence;
char *seed;
struct opie_otpkey key;
int i;
int exts;
#if OPIEAUTO
int s;
int window;
char cmd[1+1+1+1+4+1+OPIE_SEED_MAX+1+4+1+4+1+4+1+4+1];
char *c;
#endif /* OPIEAUTO */
if (!(challenge = strstr(challenge, "otp-")))
return 1;
challenge += 4;
if (__opieparsechallenge(challenge, &algorithm, &sequence, &seed, &exts))
return 1;
if ((sequence < 2) || (sequence > 9999))
return 1;
if (*secret) {
if (opiepasscheck(secret))
return -2;
if (i = opiekeycrunch(algorithm, &key, seed, secret))
return i;
if (sequence <= OPIE_SEQUENCE_RESTRICT) {
if (!(exts & 1))
return 1;
{
char newseed[OPIE_SEED_MAX + 1];
struct opie_otpkey newkey;
char *c;
char buf[OPIE_SEED_MAX + 48 + 1];
while (sequence-- != 0)
opiehash(&key, algorithm);
if (opienewseed(strcpy(newseed, seed)) < 0)
return -1;
if (opiekeycrunch(algorithm, &newkey, newseed, secret))
return -1;
for (i = 0; i < 499; i++)
opiehash(&newkey, algorithm);
strcpy(response, "init-hex:");
strcat(response, opiebtoh(buf, &key));
if (snprintf(buf, sizeof(buf), ":%s 499 %s:", algids[algorithm],
newseed) >= sizeof(buf)) {
#ifdef DEBUG
syslog(LOG_DEBUG, "opiegenerator: snprintf truncation at init-hex");
#endif /* DEBUG */
return -1;
}
strcat(response, buf);
strcat(response, opiebtoh(buf, &newkey));
};
};
};
#if OPIEAUTO
if ((s = opieauto_connect()) >= 0) {
if ((i = read(s, cmd, sizeof(cmd)-1)) < 0) {
#if DEBUG
syslog(LOG_DEBUG, "opiegenerator: read: %s(%d)\n", strerror(errno), errno);
#endif /* DEBUG */
close(s);
s = -1;
goto l0;
};
cmd[i] = 0;
if ((cmd[0] != 'C') || (cmd[1] != '+') || (cmd[2] != ' ')) {
#if DEBUG
syslog(LOG_DEBUG, "opiegenerator: got invalid/failing C+ response: %s\n", cmd);
#endif /* DEBUG */
close(s);
s = -1;
goto l0;
};
window = strtoul(&cmd[3], &c, 10);
if (!window || (window >= (OPIE_SEQUENCE_MAX - OPIE_SEQUENCE_RESTRICT)) || !isspace(*c)) {
#if DEBUG
syslog(LOG_DEBUG, "opiegenerator: got bogus option response: %s\n", cmd);
#endif /* DEBUG */
close(s);
s = -1;
goto l0;
};
};
l0:
if (*secret) {
int j;
if (s < 0) {
j = 0;
goto l1;
};
j = max(sequence - window + 1, OPIE_SEQUENCE_RESTRICT);
for (i = j; i > 0; i--)
opiehash(&key, algorithm);
{
char buf[16+1];
opiebtoa8(buf, &key);
if (snprintf(cmd, sizeof(cmd), "S= %d %d %s %s\n", algorithm, sequence,
seed, buf) >= sizeof(cmd)) {
#if DEBUG
syslog(LOG_DEBUG, "opiegenerator: snprintf truncation at S=\n");
#endif /* DEBUG */
goto l1;
}
}
if (write(s, cmd, i = strlen(cmd)) != i) {
#if DEBUG
syslog(LOG_DEBUG, "opiegenerator: write: %s(%d)\n", strerror(errno), errno);
#endif /* DEBUG */
goto l1;
};
if ((i = read(s, cmd, sizeof(cmd))) < 0) {
#if DEBUG
syslog(LOG_DEBUG, "opiegenerator: read: %s(%d)\n", strerror(errno), errno);
#endif /* DEBUG */
};
close(s);
cmd[i] = 0;
i = strlen(seed);
if ((cmd[0] != 'S') || (cmd[1] != '+') || (cmd[2] != ' ') || (strtoul(&cmd[3], &c, 10) != algorithm) || (strtoul(c + 1, &c, 10) != sequence) || strncmp(++c, seed, i) || (*(c + i) != '\n')) {
#if DEBUG
syslog(LOG_DEBUG, "opiegenerator: got invalid/failing S+ response: %s\n", cmd);
#endif /* DEBUG */
};
l1:
for (i = sequence - j; i > 0; i--)
opiehash(&key, algorithm);
opiebtoh(response, &key);
} else {
if (s < 0)
goto l2;
if ((snprintf(cmd, sizeof(cmd), "s= %d %d %s\n", algorithm, sequence,
seed) >= sizeof(cmd))) {
#if DEBUG
syslog(LOG_DEBUG, "opiegenerator: snprintf truncation at s=\n");
#endif /* DEBUG */
goto l2;
}
if (write(s, cmd, i = strlen(cmd)) != i) {
#if DEBUG
syslog(LOG_DEBUG, "opiegenerator: write: %s(%d)\n", strerror(errno), errno);
#endif /* DEBUG */
goto l2;
};
if ((i = read(s, cmd, sizeof(cmd))) < 0) {
#if DEBUG
syslog(LOG_DEBUG, "opiegenerator: read: %s(%d)\n", strerror(errno), errno);
#endif /* DEBUG */
goto l2;
};
close(s);
i = strlen(seed);
if ((cmd[0] != 's') || (cmd[2] != ' ') || (strtoul(&cmd[3], &c, 10) != algorithm) || (strtoul(c + 1, &c, 10) != sequence) || strncmp(++c, seed, i)) {
#if DEBUG
if (c)
*c = 0;
else
cmd[3] = 0;
syslog(LOG_DEBUG, "opiegenerator: got bogus/invalid s response: %s\n", cmd);
#endif /* DEBUG */
goto l2;
};
c += i;
if (cmd[1] == '-') {
#if DEBUG
if (*c != '\n') {
*c = 0;
syslog(LOG_DEBUG, "opiegenerator: got invalid s- response: %s\n", cmd);
};
#endif /* DEBUG */
goto l2;
};
if (cmd[1] != '+') {
#if DEBUG
*c = 0;
syslog(LOG_DEBUG, "opiegenerator: got invalid s response: %s\n", cmd);
#endif /* DEBUG */
goto l2;
};
{
char *c2;
if (!(c2 = strchr(++c, '\n'))) {
#if DEBUG
*c = 0;
syslog(LOG_DEBUG, "opiegenerator: got invalid s+ response: %s\n", cmd);
#endif /* DEBUG */
goto l2;
};
*c2++ = 0;
};
if (!opieatob8(&key, c))
goto l2;
opiebtoh(response, &key);
};
if (s >= 0)
close(s);
#else /* OPIEAUTO */
if (*secret) {
while (sequence-- != 0)
opiehash(&key, algorithm);
opiebtoh(response, &key);
} else
return -2;
#endif /* OPIEAUTO */
return 0;
#if OPIEAUTO
l2:
#if DEBUG
syslog(LOG_DEBUG, "opiegenerator: no opieauto response available.\n");
#endif /* DEBUG */
if (s >= 0)
close(s);
return -2;
#endif /* OPIEAUTO */
};

27
contrib/opie/libopie/getsequence.c
View File

@ -1,27 +0,0 @@
/* getsequence.c: The opiegetsequence() library function.
%%% portions-copyright-cmetz-96
Portions of this software are Copyright 1996-1999 by Craig Metz, All Rights
Reserved. The Inner Net License Version 2 applies to these portions of
the software.
You should have received a copy of the license with this software. If
you didn't get a copy, you may request one from <license@inner.net>.
Portions of this software are Copyright 1995 by Randall Atkinson and Dan
McDonald, All Rights Reserved. All Rights under this copyright are assigned
to the U.S. Naval Research Laboratory (NRL). The NRL Copyright Notice and
License Agreement applies to this software.
History:
Modified by cmetz for OPIE 2.3. Use opie_ prefix.
Modified by cmetz for OPIE 2.2. Use FUNCTION declaration et al.
Created at NRL for OPIE 2.2 from opiesubr2.c
*/
#include "opie_cfg.h"
#include "opie.h"
int opiegetsequence FUNCTION((stateblock), struct opie *stateblock)
{
return stateblock->opie_n;
}

85
contrib/opie/libopie/getutmpentry.c
View File

@ -1,85 +0,0 @@
/* getutmpentry.c: The __opiegetutmpentry() library function.
%%% copyright-cmetz-96
This software is Copyright 1996-2001 by Craig Metz, All Rights Reserved.
The Inner Net License Version 3 applies to this software.
You should have received a copy of the license with this software. If
you didn't get a copy, you may request one from <license@inner.net>.
History:
Modified by cmetz for OPIE 2.31. Cache result.
Created by cmetz for OPIE 2.3 (re-write).
*/
#include "opie_cfg.h"
#include <stdio.h>
#include <sys/types.h>
#if DOUTMPX
#include <utmpx.h>
#define setutent setutxent
#define getutline(x) getutxline(x)
#define utmp utmpx
#else
#include <utmp.h>
#endif /* DOUTMPX */
#if HAVE_STRING_H
#include <string.h>
#endif /* HAVE_STRING_H */
#if DEBUG
#include <syslog.h>
#endif /* DEBUG */
#include "opie.h"
#if !HAVE_GETUTLINE && !DOUTMPX
struct utmp *getutline __P((struct utmp *));
#endif /* HAVE_GETUTLINE && !DOUTMPX */
static struct utmp u;
int __opiegetutmpentry FUNCTION((line, utmp), char *line AND struct utmp *utmp)
{
struct utmp *pu;
if (u.ut_line[0]) {
pu = &u;
goto gotit;
};
memset(&u, 0, sizeof(u));
if (!strncmp(line, "/dev/", 5)) {
strncpy(u.ut_line, line + 5, sizeof(u.ut_line));
setutent();
if ((pu = getutline(&u)))
goto gotit;
#ifdef hpux
strcpy(u.ut_line, "pty/");
strncpy(u.ut_line + 4, line + 5, sizeof(u.ut_line) - 4);
setutent();
if ((pu = getutline(&u)))
goto gotit;
#endif /* hpux */
}
strncpy(u.ut_line, line, sizeof(u.ut_line));
setutent();
if ((pu = getutline(&u)))
goto gotit;
#if DEBUG
syslog(LOG_DEBUG, "__opiegetutmpentry: failed to find entry for line %s", line);
#endif /* DEBUG */
return -1;
gotit:
#if DEBUG
syslog(LOG_DEBUG, "__opiegetutmpentry: succeeded with line %s", pu->ut_line);
#endif /* DEBUG */
memcpy(utmp, pu, sizeof(struct utmp));
return 0;
}

78
contrib/opie/libopie/hash.c
View File

@ -1,78 +0,0 @@
/* hash.c: The opiehash() library function.
%%% copyright-cmetz-96
This software is Copyright 1996-2001 by Craig Metz, All Rights Reserved.
The Inner Net License Version 3 applies to this software.
You should have received a copy of the license with this software. If
you didn't get a copy, you may request one from <license@inner.net>.
History:
Modified by cmetz for OPIE 2.4. Use struct opie_otpkey for binary arg.
Modified by cmetz for OPIE 2.31. Added SHA support (which may
not be correct). Backed out previous optimizations as
they killed thread-safety.
Created by cmetz for OPIE 2.3 using the old hash.c as a guide.
$FreeBSD$
*/
#include <sys/endian.h>
#include "opie_cfg.h"
#include "opie.h"
#include <sha.h>
#include <md4.h>
#include <md5.h>
VOIDRET opiehash FUNCTION((x, algorithm), struct opie_otpkey *x AND
unsigned algorithm)
{
UINT4 *results = (UINT4 *)x;
switch(algorithm) {
case 3:
{
SHA_CTX sha;
UINT4 digest[5];
SHA1_Init(&sha);
SHA1_Update(&sha, (unsigned char *)x, 8);
SHA1_Final((unsigned char *)digest, &sha);
results[0] = digest[0] ^ digest[2] ^ digest[4];
results[1] = digest[1] ^ digest[3];
/*
* RFC2289 mandates that we convert SHA1 digest from big-endian to little
* see Appendix A.
*/
results[0] = bswap32(results[0]);
results[1] = bswap32(results[1]);
};
break;
case 4:
{
MD4_CTX mdx;
UINT4 mdx_tmp[4];
MD4Init(&mdx);
MD4Update(&mdx, (unsigned char *)x, 8);
MD4Final((unsigned char *)mdx_tmp, &mdx);
results[0] = mdx_tmp[0] ^ mdx_tmp[2];
results[1] = mdx_tmp[1] ^ mdx_tmp[3];
};
break;
case 5:
{
MD5_CTX mdx;
UINT4 mdx_tmp[4];
MD5Init(&mdx);
MD5Update(&mdx, (unsigned char *)x, 8);
MD5Final((unsigned char *)mdx_tmp, &mdx);
results[0] = mdx_tmp[0] ^ mdx_tmp[2];
results[1] = mdx_tmp[1] ^ mdx_tmp[3];
};
break;
}
}

69
contrib/opie/libopie/hashlen.c
View File

@ -1,69 +0,0 @@
/* hashlen.c: The opiehashlen() library function.
%%% copyright-cmetz-96
This software is Copyright 1996-2001 by Craig Metz, All Rights Reserved.
The Inner Net License Version 3 applies to this software.
You should have received a copy of the license with this software. If
you didn't get a copy, you may request one from <license@inner.net>.
History:
Modified by cmetz for OPIE 2.4. Use struct opie_otpkey, isolate variables.
Created by cmetz for OPIE 2.3.
$FreeBSD$
*/
#include <sys/endian.h>
#include "opie_cfg.h"
#include "opie.h"
#include <sha.h>
#include <md4.h>
#include <md5.h>
VOIDRET opiehashlen FUNCTION((algorithm, in, out, n), int algorithm AND
VOIDPTR in AND struct opie_otpkey *out AND int n)
{
UINT4 *results = (UINT4 *)out;
UINT4 mdx_tmp[4];
switch(algorithm) {
case 3: {
SHA_CTX sha;
UINT4 digest[5];
SHA1_Init(&sha);
SHA1_Update(&sha, (unsigned char *)in, n);
SHA1_Final((unsigned char *)digest, &sha);
results[0] = digest[0] ^ digest[2] ^ digest[4];
results[1] = digest[1] ^ digest[3];
/*
* RFC2289 mandates that we convert SHA1 digest from big-endian to little
* see Appendix A.
*/
results[0] = bswap32(results[0]);
results[1] = bswap32(results[1]);
break;
}
case 4: {
MD4_CTX mdx;
MD4Init(&mdx);
MD4Update(&mdx, (unsigned char *)in, n);
MD4Final((unsigned char *)mdx_tmp, &mdx);
results[0] = mdx_tmp[0] ^ mdx_tmp[2];
results[1] = mdx_tmp[1] ^ mdx_tmp[3];
break;
}
case 5: {
MD5_CTX mdx;
MD5Init(&mdx);
MD5Update(&mdx, (unsigned char *)in, n);
MD5Final((unsigned char *)mdx_tmp, &mdx);
results[0] = mdx_tmp[0] ^ mdx_tmp[2];
results[1] = mdx_tmp[1] ^ mdx_tmp[3];
break;
}
}
}

172
contrib/opie/libopie/insecure.c
View File

@ -1,172 +0,0 @@
/* insecure.c: The opieinsecure() library function.
%%% portions-copyright-cmetz-96
Portions of this software are Copyright 1996-1999 by Craig Metz, All Rights
Reserved. The Inner Net License Version 2 applies to these portions of
the software.
You should have received a copy of the license with this software. If
you didn't get a copy, you may request one from <license@inner.net>.
Portions of this software are Copyright 1995 by Randall Atkinson and Dan
McDonald, All Rights Reserved. All Rights under this copyright are assigned
to the U.S. Naval Research Laboratory (NRL). The NRL Copyright Notice and
License Agreement applies to this software.
History:
Modified by cmetz for OPIE 2.4. Do utmp checks on utmpx systems.
Handle unterminated ut_host.
Modified by cmetz for OPIE 2.31. Fixed a logic bug. Call endut[x]ent().
Modified by cmetz for OPIE 2.3. Added result caching. Use
__opiegetutmpentry(). Ifdef around ut_host check. Eliminate
unused variable.
Modified by cmetz for OPIE 2.2. Use FUNCTION declaration et al.
Allow IP loopback. DISPLAY and ut_host must match exactly,
not just the part before the colon. Added work-around for
Sun CDE dtterm bug. Leave the environment as it was
found. Use uname().
Created at NRL for OPIE 2.2 from opiesubr.c. Fixed pointer
assignment that should have been a comparison.
$FreeBSD$
*/
#include "opie_cfg.h"
#include <stdio.h>
#include <string.h>
#include <stdlib.h> /* ANSI C standard library */
#include <sys/param.h>
#include <unistd.h>
#if DOUTMPX
#include <utmpx.h>
#define utmp utmpx
#define endutent endutxent
#else
#include <utmp.h>
#endif /* DOUTMPX */
#if HAVE_SYS_UTSNAME_H
#include <sys/utsname.h>
#endif /* HAVE_SYS_UTSNAME_H */
#include "opie.h"
char *remote_terms[] = { "xterm", "xterms", "kterm", NULL };
int opieinsecure FUNCTION_NOARGS
{
#ifndef NO_INSECURE_CHECK
char *display_name;
char *s;
char *term_name;
int insecure = 0;
#if HAVE_UT_HOST || DOUTMPX
struct utmp utmp;
#endif /* HAVE_UT_HOST || DOUTMPX */
static int result = -1;
if (result != -1)
return result;
if (getenv("SSH_CLIENT") != NULL)
return (result = 0);
display_name = (char *) getenv("DISPLAY");
term_name = (char *) getenv("TERM");
if (display_name) {
insecure = 1;
if (s = strchr(display_name, ':')) {
int n = s - display_name;
if (!n)
insecure = 0;
else {
if (!strncmp("unix", display_name, n))
insecure = 0;
else if (!strncmp("localhost", display_name, n))
insecure = 0;
else if (!strncmp("loopback", display_name, n))
insecure = 0;
else if (!strncmp("127.0.0.1", display_name, n))
insecure = 0;
else {
struct utsname utsname;
if (!uname(&utsname)) {
if (!strncmp(utsname.nodename, display_name, n))
insecure = 0;
else {
if (s = strchr(display_name, '.')) {
int n2 = s - display_name;
if (n < n2)
n2 = n;
if (!strncmp(utsname.nodename, display_name, n2))
insecure = 0;
} /* endif display_name is '.' */
} /* endif hostname != display_name */
} /* endif was able to get hostname */
} /* endif display_name == UNIX */
}
}
} /* endif display_name == ":" */
if (insecure)
return (result = 1);
/* If no DISPLAY variable exists and TERM=xterm,
then we probably have an xterm executing on a remote system
with an rlogin or telnet to our system. If it were a local
xterm, then the DISPLAY environment variable would
have to exist. rja */
if (!display_name && term_name) {
int i;
for (i = 0; remote_terms[i]; i++)
if (!strcmp(term_name, remote_terms[i]))
return (result = 1);
};
#if HAVE_UT_HOST || DOUTMPX
if (isatty(0)) {
memset(&utmp, 0, sizeof(struct utmp));
{
int i = __opiegetutmpentry(ttyname(0), &utmp);
endutent();
if (!i && utmp.ut_host[0]) {
char host[sizeof(utmp.ut_host) + 1];
insecure = 1;
strncpy(host, utmp.ut_host, sizeof(utmp.ut_host));
host[sizeof(utmp.ut_host)] = 0;
if (s = strchr(host, ':')) {
int n = s - host;
if (!n)
insecure = 0;
else
if (display_name) {
if (!strncmp(host, display_name, n))
insecure = 0;
#if 1 /* def SOLARIS */
else
if (s = strchr(host, ' ')) {
*s = ':';
if (s = strchr(s + 1, ' '))
*s = '.';
if (!strncmp(host, display_name, n))
insecure = 0;
}
#endif /* SOLARIS */
}
}
}
};
};
#endif /* HAVE_UT_HOST || DOUTMPX */
if (insecure)
return (result = 1);
return (result = 0);
#else /* NO_INSECURE_CHECK */
return 0;
#endif /* NO_INSECURE_CHECK */
}

66
contrib/opie/libopie/keycrunch.c
View File

@ -1,66 +0,0 @@
/* keycrunch.c: The opiekeycrunch() library function.
%%% copyright-cmetz-96
This software is Copyright 1996-2001 by Craig Metz, All Rights Reserved.
The Inner Net License Version 3 applies to this software.
You should have received a copy of the license with this software. If
you didn't get a copy, you may request one from <license@inner.net>.
History:
Modified by cmetz for OPIE 2.4. Use struct opie_otpkey for arg.
Created by cmetz for OPIE 2.3 using the old keycrunch.c as a guide.
*/
#include "opie_cfg.h"
#if HAVE_STRING_H
#include <string.h>
#endif /* HAVE_STRING_H */
#if HAVE_STDLIB_H
#include <stdlib.h>
#endif /* HAVE_STDLIB_H */
#include <ctype.h>
#include "opie.h"
int opiekeycrunch FUNCTION((algorithm, result, seed, secret), int algorithm AND
struct opie_otpkey *result AND char *seed AND char *secret)
{
int i, rval = -1;
char *c;
if (!result || !seed || !secret)
return 1;
i = strlen(seed) + strlen(secret);
if (!(c = malloc(i + 1)))
return -1;
{
char *c2 = c;
if (algorithm & 0x10)
while(*c2 = *(secret++)) c2++;
while(*seed)
if (isspace(*(c2++) = tolower(*(seed++))))
goto kcret;
if (!(algorithm & 0x10))
strcpy(c2, secret);
}
opiehashlen(algorithm & 0x0f, c, result, i);
rval = 0;
kcret:
{
char *c2 = c;
while(*c2)
*(c2++) = 0;
}
free(c);
return rval;
}

255
contrib/opie/libopie/lock.c
View File

@ -1,255 +0,0 @@
/* lock.c: The opielock() library function.
%%% portions-copyright-cmetz-96
Portions of this software are Copyright 1996-1999 by Craig Metz, All Rights
Reserved. The Inner Net License Version 2 applies to these portions of
the software.
You should have received a copy of the license with this software. If
you didn't get a copy, you may request one from <license@inner.net>.
Portions of this software are Copyright 1995 by Randall Atkinson and Dan
McDonald, All Rights Reserved. All Rights under this copyright are assigned
to the U.S. Naval Research Laboratory (NRL). The NRL Copyright Notice and
License Agreement applies to this software.
History:
Modified by cmetz for OPIE 2.4. Use snprintf.
Modified by cmetz for OPIE 2.31. Put locks in a separate dir.
Bug fixes.
Modified by cmetz for OPIE 2.3. Do refcounts whether or not we
actually lock. Fixed USER_LOCKING=0 case.
Modified by cmetz for OPIE 2.22. Added reference count for locks.
Changed lock filename/refcount symbol names to better indicate
that they're not user serviceable.
Modified by cmetz for OPIE 2.2. Use FUNCTION declaration et al.
Use "principal" instead of "name" to make it clearer.
Ifdef around some headers, be more careful about allowed
error return values. Check open() return value properly.
Avoid NULL.
Created at NRL for OPIE 2.2 from opiesubr2.c
$FreeBSD$
*/
#include "opie_cfg.h"
#if HAVE_STRING_H
#include <string.h>
#endif /* HAVE_STRING_H */
#if HAVE_UNISTD_H
#include <unistd.h>
#endif /* HAVE_UNISTD_H */
#include <sys/stat.h>
#include <syslog.h>
#include <fcntl.h>
#if HAVE_STDLIB_H
#include <stdlib.h>
#endif /* HAVE_STDLIB_H */
#include <errno.h>
#include "opie.h"
#if !HAVE_LSTAT
#define lstat(x, y) stat(x, y)
#endif /* !HAVE_LSTAT */
int __opie_lockrefcount = 0;
static int do_atexit = 1;
VOIDRET opiedisableaeh FUNCTION_NOARGS
{
do_atexit = 0;
}
#if USER_LOCKING
char *__opie_lockfilename = (char *)0;
/* atexit() handler for opielock() */
VOIDRET opieunlockaeh FUNCTION_NOARGS
{
if (__opie_lockfilename) {
__opie_lockrefcount = 0;
opieunlock();
}
}
#endif /* USER_LOCKING */
/*
Serialize (we hope) authentication of user to prevent race conditions.
Creates a lock file with a name of OPIE_LOCK_PREFIX with the user name
appended. This file contains the pid of the lock's owner and a time()
stamp. We use the former to check for dead owners and the latter to
provide an upper bound on the lock duration. If there are any problems,
we assume the lock is bogus.
The value of this locking and its security implications are still not
completely clear and require further study.
One could conceivably hack this facility to provide locking of user
accounts after several authentication failures.
Return -1 on low-level error, 0 if ok, 1 on locking failure.
*/
int opielock FUNCTION((principal), char *principal)
{
#if USER_LOCKING
int fh, waits = 0, rval = -1, pid, t, i;
char buffer[128], buffer2[128], *c, *c2;
struct stat statbuf[2];
if (getuid() && geteuid()) {
#if DEBUG
syslog(LOG_DEBUG, "opielock: requires superuser priveleges");
#endif /* DEBUG */
return -1;
};
if (__opie_lockfilename) {
__opie_lockrefcount++;
return 0;
}
if (!(__opie_lockfilename = (char *)malloc(sizeof(OPIE_LOCK_DIR) + 1 + strlen(principal))))
return -1;
strcpy(__opie_lockfilename, OPIE_LOCK_DIR);
if (mkdir(__opie_lockfilename, 0700) < 0)
if (errno != EEXIST)
return -1;
if (lstat(__opie_lockfilename, &statbuf[0]) < 0)
return -1;
if (statbuf[0].st_uid) {
#if DEBUG
syslog(LOG_DEBUG, "opielock: %s isn't owned by the superuser.", __opie_lockfilename);
#endif /* DEBUG */
return -1;
};
if (!S_ISDIR(statbuf[0].st_mode)) {
#if DEBUG
syslog(LOG_DEBUG, "opielock: %s isn't a directory.", __opie_lockfilename);
#endif /* DEBUG */
return -1;
};
if ((statbuf[0].st_mode & 0777) != 00700) {
#if DEBUG
syslog(LOG_DEBUG, "opielock: permissions on %s are not correct.", __opie_lockfilename);
#endif /* DEBUG */
return -1;
};
strcat(__opie_lockfilename, "/");
strcat(__opie_lockfilename, principal);
fh = -1;
while (fh < 0) {
if (!lstat(__opie_lockfilename, &statbuf[0]))
if (!S_ISREG(statbuf[0].st_mode))
goto lockret;
if ((fh = open(__opie_lockfilename, O_WRONLY | O_CREAT | O_EXCL, 0600)) < 0) {
if (lstat(__opie_lockfilename, &statbuf[1]) < 0)
goto lockret;
if (statbuf[0].st_ino != statbuf[1].st_ino)
goto lockret;
if (statbuf[0].st_mode != statbuf[1].st_mode)
goto lockret;
if ((fh = open(__opie_lockfilename, O_RDONLY, 0600)) < 0)
goto lockret;
if ((i = read(fh, buffer, sizeof(buffer))) <= 0)
goto lockret;
buffer[sizeof(buffer) - 1] = 0;
buffer[i - 1] = 0;
if (!(c = strchr(buffer, '\n')))
break;
*(c++) = 0;
if (!(c2 = strchr(c, '\n')))
break;
*(c2++) = 0;
if (!(pid = atoi(buffer)))
break;
if (!(t = atoi(c)))
break;
if ((t + OPIE_LOCK_TIMEOUT) < time(0))
break;
if (kill(pid, 0))
break;
close(fh);
fh = 0;
sleep(1);
if (waits++ > 3) {
rval = 1;
goto lockret;
};
};
};
if (lstat(__opie_lockfilename, &statbuf[0]) < 0)
goto lockret;
if (fstat(fh, &statbuf[1]) < 0)
goto lockret;
if (!S_ISREG(statbuf[0].st_mode) || (statbuf[0].st_mode != statbuf[1].st_mode) || (statbuf[0].st_ino != statbuf[1].st_ino))
goto lockret;
if (snprintf(buffer, sizeof(buffer), "%d\n%d\n", getpid(), time(0)) >= sizeof(buffer))
goto lockret;
i = strlen(buffer) + 1;
if (lseek(fh, 0, SEEK_SET)) {
close(fh);
unlink(__opie_lockfilename);
fh = 0;
goto lockret;
};
if (write(fh, buffer, i) != i) {
close(fh);
unlink(__opie_lockfilename);
fh = 0;
goto lockret;
};
close(fh);
if ((fh = open(__opie_lockfilename, O_RDWR, 0600)) < 0) {
unlink(__opie_lockfilename);
goto lockret;
};
if (read(fh, buffer2, i) != i) {
close(fh);
unlink(__opie_lockfilename);
fh = 0;
goto lockret;
};
close(fh);
if (memcmp(buffer, buffer2, i)) {
unlink(__opie_lockfilename);
goto lockret;
};
__opie_lockrefcount++;
rval = 0;
if (do_atexit)
atexit(opieunlockaeh);
lockret:
if (fh >= 0)
close(fh);
if (!__opie_lockrefcount) {
free (__opie_lockfilename);
__opie_lockfilename = NULL;
};
return rval;
#else /* USER_LOCKING */
__opie_lockrefcount++;
return 0;
#endif /* USER_LOCKING */
}

124
contrib/opie/libopie/login.c
View File

@ -1,124 +0,0 @@
/* login.c: The opielogin() library function.
%%% copyright-cmetz-96
This software is Copyright 1996-2001 by Craig Metz, All Rights Reserved.
The Inner Net License Version 3 applies to this software.
You should have received a copy of the license with this software. If
you didn't get a copy, you may request one from <license@inner.net>.
History:
Modified by cmetz for OPIE 2.4. Add support for ut_id and
ut_syslen. Don't zero-terminate ut_name and ut_host.
Modified by cmetz for OPIE 2.31. If the OS won't tell us where
_PATH_WTMP[X] is, try playing the SVID game, then use
Autoconf-discovered values. Fixed gettimeofday() call
and updwtmpx() call. Call endutxent for utmpx. Added
DISABLE_UTMP.
Created by cmetz for OPIE 2.3.
*/
#include "opie_cfg.h"
#include <stdio.h>
#include <sys/types.h>
#if DOUTMPX
#include <utmpx.h>
#define pututline(x) pututxline(x)
#define endutent endutxent
#define utmp utmpx
#else
#include <utmp.h>
#endif /* DOUTMPX */
#if HAVE_STRING_H
#include <string.h>
#endif /* HAVE_STRING_H */
#include <sys/stat.h>
#if DEBUG
#include <syslog.h>
#include <errno.h>
#endif /* DEBUG */
#include "opie.h"
#define IDLEN 4
int opielogin FUNCTION((line, name, host), char *line AND char *name AND char *host)
{
int rval = 0;
#if !DISABLE_UTMP
struct utmp u;
char id[IDLEN + 1] = "";
if (__opiegetutmpentry(line, &u)) {
#if DEBUG
syslog(LOG_DEBUG, "opielogin: __opiegetutmpentry(line=%s, &u) failed", line);
#endif /* DEBUG */
memset(&u, 0, sizeof(struct utmp));
if (!strncmp(line, "/dev/", 5))
strncpy(u.ut_line, line + 5, sizeof(u.ut_line));
else
strncpy(u.ut_line, line, sizeof(u.ut_line));
#if DEBUG
syslog(LOG_DEBUG, "opielogin: continuing with ut_line=%s", u.ut_line);
#endif /* DEBUG */
}
#if DOUTMPX || HAVE_UT_ID
strncpy(id, u.ut_id, sizeof(u.ut_id));
id[sizeof(id)-1] = 0;
#endif /* DOUTMPX || HAVE_UT_ID */
#if HAVE_UT_TYPE && defined(USER_PROCESS)
u.ut_type = USER_PROCESS;
#endif /* HAVE_UT_TYPE && defined(USER_PROCESS) */
#if HAVE_UT_PID
u.ut_pid = getpid();
#endif /* HAVE_UT_PID */
#if HAVE_UT_NAME
strncpy(u.ut_name, name, sizeof(u.ut_name));
#else /* HAVE_UT_NAME */
#error No ut_name field in struct utmp? (Please send in a bug report)
#endif /* HAVE_UT_NAME */
#if HAVE_UT_HOST
strncpy(u.ut_host, host, sizeof(u.ut_host));
#endif /* HAVE_UT_HOST */
#if DOUTMPX && HAVE_UTX_SYSLEN
u.ut_syslen = strlen(host) + 1;
#endif /* DOUTMPX && HAVE_UT_SYSLEN */
#if DOUTMPX
#ifdef HAVE_ONE_ARG_GETTIMEOFDAY
gettimeofday(&u.ut_tv);
#else /* HAVE_ONE_ARG_GETTIMEOFDAY */
gettimeofday(&u.ut_tv, NULL);
#endif /* HAVE_ONE_ARG_GETTIMEOFDAY */
#else /* DOUTMPX */
time(&u.ut_time);
#endif /* DOUTMPX */
pututline(&u);
endutent();
#if DEBUG
syslog(LOG_DEBUG, "opielogin: utmp suceeded");
#endif /* DEBUG */
#endif /* !DISABLE_UTMP */
dowtmp:
opielogwtmp(line, name, host, id);
opielogwtmp(NULL, NULL, NULL);
dosetlogin:
#if HAVE_SETLOGIN
setlogin(name);
#endif /* HAVE_SETLOGIN */
#if DEBUG
syslog(LOG_DEBUG, "opielogin: rval=%d", rval);
#endif /* DEBUG */
return rval;
}

197
contrib/opie/libopie/logwtmp.c
View File

@ -1,197 +0,0 @@
/* logwtmp.c: Put an entry in the wtmp file.
%%% portions-copyright-cmetz-96
Portions of this software are Copyright 1996-1999 by Craig Metz, All Rights
Reserved. The Inner Net License Version 2 applies to these portions of
the software.
You should have received a copy of the license with this software. If
you didn't get a copy, you may request one from <license@inner.net>.
Portions of this software are Copyright 1995 by Randall Atkinson and Dan
McDonald, All Rights Reserved. All Rights under this copyright are assigned
to the U.S. Naval Research Laboratory (NRL). The NRL Copyright Notice and
License Agreement applies to this software.
History:
Modified by cmetz for OPIE 2.4. Set process to dead if name is null.
Added support for ut_id and ut_syslen.
Modified by cmetz for OPIE 2.32. Don't leave line=NULL, skip
past /dev/ in line. Fill in ut_host on systems with UTMPX and
ut_host.
Modified by cmetz for OPIE 2.31. Move wtmp log functions here, to
improve portability. Added DISABLE_WTMP.
Modified by cmetz for OPIE 2.22. Call gettimeofday() properly.
Modified by cmetz for OPIE 2.2. Use FUNCTION declaration et al.
Ifdef around some headers. Added file close hook.
Modified at NRL for OPIE 2.1. Set process type for HPUX.
Modified at NRL for OPIE 2.0.
Originally from BSD.
*/
/*
* Copyright (c) 1988 The Regents of the University of California.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. All advertising materials mentioning features or use of this software
* must display the following acknowledgement:
* This product includes software developed by the University of
* California, Berkeley and its contributors.
* 4. Neither the name of the University nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
*/
#include "opie_cfg.h"
#include <sys/types.h>
#if HAVE_SYS_TIME_H
#include <sys/time.h>
#endif /* HAVE_SYS_TIME_H */
#include <sys/stat.h>
#include <fcntl.h>
#include <utmp.h>
#if HAVE_UNISTD_H
#include <unistd.h>
#endif /* HAVE_UNISTD_H */
#if HAVE_STRING_H
#include <string.h>
#endif /* HAVE_STRING_H */
#include "opie.h"
static int fd = -1;
#if DOUTMPX
static int fdx = -1;
#include <utmpx.h>
#endif /* DOUTMPX */
#ifndef _PATH_WTMP
#ifdef WTMP_FILE
#define _PATH_WTMP WTMP_FILE
#else /* WTMP_FILE */
#ifdef PATH_WTMP_AC
#define _PATH_WTMP PATH_WTMP_AC
#endif /* PATH_WTMP_AC */
#endif /* WTMP_FILE */
#endif /* _PATH_WTMP */
#ifndef _PATH_WTMPX
#ifdef WTMPX_FILE
#define _PATH_WTMPX WTMPX_FILE
#else /* WTMPX_FILE */
#ifdef PATH_WTMPX_AC
#define _PATH_WTMPX PATH_WTMPX_AC
#endif /* PATH_WTMPX_AC */
#endif /* WTMPX_FILE */
#endif /* _PATH_WTMPX */
/*
* Modified version of logwtmp that holds wtmp file open
* after first call, for use with ftp (which may chroot
* after login, but before logout).
*/
VOIDRET opielogwtmp FUNCTION((line, name, host), char *line AND char *name AND char *host AND char *id)
{
#if !DISABLE_WTMP
struct utmp ut;
#if DOUTMPX && defined(_PATH_WTMPX)
struct utmpx utx;
#endif /* DOUTMPX && defined(_PATH_WTMPX) */
struct stat buf;
memset(&ut, 0, sizeof(struct utmp));
if (!line) {
close(fd);
#if DOUTMPX && defined(_PATH_WTMPX)
close(fdx);
#endif /* DOUTMPX && defined(_PATH_WTMPX) */
line = "";
} else
if (!strncmp(line, "/dev/", 5))
line += 5;
if (fd < 0 && (fd = open(_PATH_WTMP, O_WRONLY | O_APPEND, 0)) < 0)
return;
if (fstat(fd, &buf) == 0) {
#if HAVE_UT_TYPE && defined(USER_PROCESS)
if (name && *name)
ut.ut_type = USER_PROCESS;
else
ut.ut_type = DEAD_PROCESS;
#endif /* HAVE_UT_TYPE && defined(USER_PROCESS) */
#if HAVE_UT_ID
if (id)
strncpy(ut.ut_id, id, sizeof(ut.ut_id));
#endif /* HAVE_UT_ID */
#if HAVE_UT_PID
ut.ut_pid = getpid();
#endif /* HAVE_UT_PID */
strncpy(ut.ut_line, line, sizeof(ut.ut_line));
strncpy(ut.ut_name, name, sizeof(ut.ut_name));
#if HAVE_UT_HOST
strncpy(ut.ut_host, host, sizeof(ut.ut_host));
#endif /* HAVE_UT_HOST */
time(&ut.ut_time);
if (write(fd, (char *) &ut, sizeof(struct utmp)) !=
sizeof(struct utmp))
ftruncate(fd, buf.st_size);
}
#if DOUTMPX && defined(_PATH_WTMPX)
memset(&utx, 0, sizeof(struct utmpx));
if (fdx < 0 && (fdx = open(_PATH_WTMPX, O_WRONLY | O_APPEND, 0)) < 0)
return;
if (fstat(fdx, &buf) == 0) {
strncpy(utx.ut_line, line, sizeof(utx.ut_line));
strncpy(utx.ut_name, name, sizeof(utx.ut_name));
strncpy(utx.ut_host, host, sizeof(utx.ut_host));
#ifdef USER_PROCESS
if (name && *name)
utx.ut_type = USER_PROCESS;
else
utx.ut_type = DEAD_PROCESS;
#endif /* USER_PROCESS */
if (id)
strncpy(utx.ut_id, id, sizeof(utx.ut_id));
utx.ut_pid = getpid();
#if HAVE_UTX_SYSLEN
utx.ut_syslen = strlen(utx.ut_host) + 1;
#endif /* HAVE_UTX_SYSLEN */
#if HAVE_GETTIMEOFDAY
#if HAVE_ONE_ARG_GETTIMEOFDAY
gettimeofday(&utx.ut_tv);
#else /* HAVE_ONE_ARG_GETTIMEOFDAY */
gettimeofday(&utx.ut_tv, NULL);
#endif /* HAVE_ONE_ARG_GETTIMEOFDAY */
#endif /* HAVE_GETTIMEOFDAY */
if (write(fdx, (char *) &utx, sizeof(struct utmpx)) != sizeof(struct utmpx))
ftruncate(fdx, buf.st_size);
}
#endif /* DOUTMPX && defined(_PATH_WTMPX) */
#endif /* !DISABLE_WTMP */
}

31
contrib/opie/libopie/lookup.c
View File

@ -1,31 +0,0 @@
/* lookup.c: The opielookup() library function.
%%% copyright-cmetz-96
This software is Copyright 1996-2001 by Craig Metz, All Rights Reserved.
The Inner Net License Version 3 applies to this software.
You should have received a copy of the license with this software. If
you didn't get a copy, you may request one from <license@inner.net>.
History:
Created by cmetz for OPIE 2.3 (re-write).
*/
#include "opie_cfg.h"
#include <stdio.h>
#include <string.h>
#include "opie.h"
int opielookup FUNCTION((opie, principal), struct opie *opie AND char *principal)
{
int i;
memset(opie, 0, sizeof(struct opie));
opie->opie_principal = principal;
if (i = __opiereadrec(opie))
return i;
return (opie->opie_flags & __OPIE_FLAGS_RW) ? 0 : 2;
}

267
contrib/opie/libopie/md4c.c
View File

@ -1,267 +0,0 @@
/* md4c.c: "RSA Data Security, Inc. MD4 Message-Digest Algorithm"
%%% portions-copyright-cmetz-96
Portions of this software are Copyright 1996-1999 by Craig Metz, All Rights
Reserved. The Inner Net License Version 2 applies to these portions of
the software.
You should have received a copy of the license with this software. If
you didn't get a copy, you may request one from <license@inner.net>.
Portions of this software are Copyright 1995 by Randall Atkinson and Dan
McDonald, All Rights Reserved. All Rights under this copyright are assigned
to the U.S. Naval Research Laboratory (NRL). The NRL Copyright Notice and
License Agreement applies to this software.
History:
Modified by cmetz for OPIE 2.2. Use FUNCTION declaration et al.
Use the real memcpy() and memset(). Use unified context
structure.
Modified at NRL for OPIE 2.0.
Originally from RSADSI reference code.
*/
/* Copyright (C) 1990-2, RSA Data Security, Inc. All rights reserved.
License to copy and use this software is granted provided that it
is identified as the "RSA Data Security, Inc. MD4 Message-Digest
Algorithm" in all material mentioning or referencing this software
or this function.
License is also granted to make and use derivative works provided
that such works are identified as "derived from the RSA Data
Security, Inc. MD4 Message-Digest Algorithm" in all material
mentioning or referencing the derived work.
RSA Data Security, Inc. makes no representations concerning either
the merchantability of this software or the suitability of this
software for any particular purpose. It is provided "as is"
without express or implied warranty of any kind.
These notices must be retained in any copies of any part of this
documentation and/or software.
*/
#include "opie_cfg.h"
#include "opie.h"
/* Constants for MD4Transform routine.
*/
#define S11 3
#define S12 7
#define S13 11
#define S14 19
#define S21 3
#define S22 5
#define S23 9
#define S24 13
#define S31 3
#define S32 9
#define S33 11
#define S34 15
static VOIDRET MD4Transform __P((UINT4[4], unsigned char[64]));
static VOIDRET Encode __P((unsigned char *, UINT4 *, unsigned int));
static VOIDRET Decode __P((UINT4 *, unsigned char *, unsigned int));
static unsigned char PADDING[64] =
{
0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
};
/* F, G and H are basic MD4 functions.
*/
#define F(x, y, z) (((x) & (y)) | ((~x) & (z)))
#define G(x, y, z) (((x) & (y)) | ((x) & (z)) | ((y) & (z)))
#define H(x, y, z) ((x) ^ (y) ^ (z))
/* ROTATE_LEFT rotates x left n bits.
*/
#define ROTATE_LEFT(x, n) (((x) << (n)) | ((x) >> (32-(n))))
/* FF, GG and HH are transformations for rounds 1, 2 and 3 */
/* Rotation is separate from addition to prevent recomputation */
#define FF(a, b, c, d, x, s) { \
(a) += F ((b), (c), (d)) + (x); \
(a) = ROTATE_LEFT ((a), (s)); \
}
#define GG(a, b, c, d, x, s) { \
(a) += G ((b), (c), (d)) + (x) + (UINT4)0x5a827999; \
(a) = ROTATE_LEFT ((a), (s)); \
}
#define HH(a, b, c, d, x, s) { \
(a) += H ((b), (c), (d)) + (x) + (UINT4)0x6ed9eba1; \
(a) = ROTATE_LEFT ((a), (s)); \
}
/* MD4 initialization. Begins an MD4 operation, writing a new context.
*/
VOIDRET opiemd4init FUNCTION((context), struct opiemdx_ctx *context)
{
context->count[0] = context->count[1] = 0;
/* Load magic initialization constants. */
context->state[0] = 0x67452301;
context->state[1] = 0xefcdab89;
context->state[2] = 0x98badcfe;
context->state[3] = 0x10325476;
}
/* MD4 block update operation. Continues an MD4 message-digest
operation, processing another message block, and updating the
context.
*/
VOIDRET opiemd4update FUNCTION((context, input, inputLen), struct opiemdx_ctx *context AND unsigned char *input AND unsigned int inputLen)
{
unsigned int i, index, partLen;
/* Compute number of bytes mod 64 */
index = (unsigned int) ((context->count[0] >> 3) & 0x3F);
/* Update number of bits */
if ((context->count[0] += ((UINT4) inputLen << 3))
< ((UINT4) inputLen << 3))
context->count[1]++;
context->count[1] += ((UINT4) inputLen >> 29);
partLen = 64 - index;
/* Transform as many times as possible. */
if (inputLen >= partLen) {
memcpy((POINTER) & context->buffer[index], (POINTER) input, partLen);
MD4Transform(context->state, context->buffer);
for (i = partLen; i + 63 < inputLen; i += 64)
MD4Transform(context->state, &input[i]);
index = 0;
} else
i = 0;
/* Buffer remaining input */
memcpy((POINTER) & context->buffer[index], (POINTER) & input[i], inputLen - i);
}
/* MD4 finalization. Ends an MD4 message-digest operation, writing the
the message digest and zeroizing the context.
*/
VOIDRET opiemd4final FUNCTION((digest, context), unsigned char *digest AND struct opiemdx_ctx *context)
{
unsigned char bits[8];
unsigned int index, padLen;
/* Save number of bits */
Encode(bits, context->count, 8);
/* Pad out to 56 mod 64. */
index = (unsigned int) ((context->count[0] >> 3) & 0x3f);
padLen = (index < 56) ? (56 - index) : (120 - index);
opiemd4update(context, PADDING, padLen);
/* Append length (before padding) */
opiemd4update(context, bits, 8);
/* Store state in digest */
Encode(digest, context->state, 16);
/* Zeroize sensitive information. */
memset((POINTER) context, 0, sizeof(*context));
}
/* MD4 basic transformation. Transforms state based on block.
*/
static VOIDRET MD4Transform FUNCTION((state, block), UINT4 state[4] AND unsigned char block[64])
{
UINT4 a = state[0], b = state[1], c = state[2], d = state[3], x[16];
Decode(x, block, 64);
/* Round 1 */
FF(a, b, c, d, x[0], S11); /* 1 */
FF(d, a, b, c, x[1], S12); /* 2 */
FF(c, d, a, b, x[2], S13); /* 3 */
FF(b, c, d, a, x[3], S14); /* 4 */
FF(a, b, c, d, x[4], S11); /* 5 */
FF(d, a, b, c, x[5], S12); /* 6 */
FF(c, d, a, b, x[6], S13); /* 7 */
FF(b, c, d, a, x[7], S14); /* 8 */
FF(a, b, c, d, x[8], S11); /* 9 */
FF(d, a, b, c, x[9], S12); /* 10 */
FF(c, d, a, b, x[10], S13); /* 11 */
FF(b, c, d, a, x[11], S14); /* 12 */
FF(a, b, c, d, x[12], S11); /* 13 */
FF(d, a, b, c, x[13], S12); /* 14 */
FF(c, d, a, b, x[14], S13); /* 15 */
FF(b, c, d, a, x[15], S14); /* 16 */
/* Round 2 */
GG(a, b, c, d, x[0], S21); /* 17 */
GG(d, a, b, c, x[4], S22); /* 18 */
GG(c, d, a, b, x[8], S23); /* 19 */
GG(b, c, d, a, x[12], S24); /* 20 */
GG(a, b, c, d, x[1], S21); /* 21 */
GG(d, a, b, c, x[5], S22); /* 22 */
GG(c, d, a, b, x[9], S23); /* 23 */
GG(b, c, d, a, x[13], S24); /* 24 */
GG(a, b, c, d, x[2], S21); /* 25 */
GG(d, a, b, c, x[6], S22); /* 26 */
GG(c, d, a, b, x[10], S23); /* 27 */
GG(b, c, d, a, x[14], S24); /* 28 */
GG(a, b, c, d, x[3], S21); /* 29 */
GG(d, a, b, c, x[7], S22); /* 30 */
GG(c, d, a, b, x[11], S23); /* 31 */
GG(b, c, d, a, x[15], S24); /* 32 */
/* Round 3 */
HH(a, b, c, d, x[0], S31); /* 33 */
HH(d, a, b, c, x[8], S32); /* 34 */
HH(c, d, a, b, x[4], S33); /* 35 */
HH(b, c, d, a, x[12], S34); /* 36 */
HH(a, b, c, d, x[2], S31); /* 37 */
HH(d, a, b, c, x[10], S32); /* 38 */
HH(c, d, a, b, x[6], S33); /* 39 */
HH(b, c, d, a, x[14], S34); /* 40 */
HH(a, b, c, d, x[1], S31); /* 41 */
HH(d, a, b, c, x[9], S32); /* 42 */
HH(c, d, a, b, x[5], S33); /* 43 */
HH(b, c, d, a, x[13], S34); /* 44 */
HH(a, b, c, d, x[3], S31); /* 45 */
HH(d, a, b, c, x[11], S32); /* 46 */
HH(c, d, a, b, x[7], S33); /* 47 */
HH(b, c, d, a, x[15], S34); /* 48 */
state[0] += a;
state[1] += b;
state[2] += c;
state[3] += d;
/* Zeroize sensitive information. */
memset((POINTER) x, 0, sizeof(x));
}
/* Encodes input (UINT4) into output (unsigned char). Assumes len is
a multiple of 4.
*/
static VOIDRET Encode FUNCTION((output, input, len), unsigned char *output AND UINT4 *input AND unsigned int len)
{
unsigned int i, j;
for (i = 0, j = 0; j < len; i++, j += 4) {
output[j] = (unsigned char) (input[i] & 0xff);
output[j + 1] = (unsigned char) ((input[i] >> 8) & 0xff);
output[j + 2] = (unsigned char) ((input[i] >> 16) & 0xff);
output[j + 3] = (unsigned char) ((input[i] >> 24) & 0xff);
}
}
/* Decodes input (unsigned char) into output (UINT4). Assumes len is
a multiple of 4.
*/
static VOIDRET Decode FUNCTION((output, input, len), UINT4 *output AND unsigned char *input AND unsigned int len)
{
unsigned int i, j;
for (i = 0, j = 0; j < len; i++, j += 4)
output[i] = ((UINT4) input[j]) | (((UINT4) input[j + 1]) << 8) |
(((UINT4) input[j + 2]) << 16) | (((UINT4) input[j + 3]) << 24);
}

304
contrib/opie/libopie/md5c.c
View File

@ -1,304 +0,0 @@
/* md5c.c: "RSA Data Security, Inc. MD5 Message-Digest Algorithm"
"derived from the RSA Data Security, Inc. MD5 Message-Digest Algorithm"
%%% portions-copyright-cmetz-96
Portions of this software are Copyright 1996-1999 by Craig Metz, All Rights
Reserved. The Inner Net License Version 2 applies to these portions of
the software.
You should have received a copy of the license with this software. If
you didn't get a copy, you may request one from <license@inner.net>.
Portions of this software are Copyright 1995 by Randall Atkinson and Dan
McDonald, All Rights Reserved. All Rights under this copyright are assigned
to the U.S. Naval Research Laboratory (NRL). The NRL Copyright Notice and
License Agreement applies to this software.
History:
Modified by cmetz for OPIE 2.3. Changed PTR to VOIDPTR.
Modified by cmetz for OPIE 2.2. Use FUNCTION declaration et al.
Don't play macro games with memset/memcpy. Renamed exported
functions to avoid conflicts. Use unified context structure.
Modified at NRL for OPIE 2.1. Minor autoconf mods.
Modified at NRL for OPIE 2.0.
Originally from RSADSI reference code.
*/
/* Copyright (C) 1991-2, RSA Data Security, Inc. Created 1991. All
rights reserved.
License to copy and use this software is granted provided that it
is identified as the "RSA Data Security, Inc. MD5 Message-Digest
Algorithm" in all material mentioning or referencing this software
or this function.
License is also granted to make and use derivative works provided
that such works are identified as "derived from the RSA Data
Security, Inc. MD5 Message-Digest Algorithm" in all material
mentioning or referencing the derived work.
RSA Data Security, Inc. makes no representations concerning either
the merchantability of this software or the suitability of this
software for any particular purpose. It is provided "as is"
without express or implied warranty of any kind.
These notices must be retained in any copies of any part of this
documentation and/or software.
*/
#include "opie_cfg.h"
#include "opie.h"
/* Constants for MD5Transform routine.
*/
#define S11 7
#define S12 12
#define S13 17
#define S14 22
#define S21 5
#define S22 9
#define S23 14
#define S24 20
#define S31 4
#define S32 11
#define S33 16
#define S34 23
#define S41 6
#define S42 10
#define S43 15
#define S44 21
static VOIDRET MD5Transform __P((UINT4[4], unsigned char[64]));
static unsigned char PADDING[64] =
{
0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0
};
/*
* Encodes input (UINT4) into output (unsigned char).
* Assumes len is a multiple of 4.
*/
static VOIDRET EEncode FUNCTION((output, input, len), unsigned char *output AND UINT4 *input AND unsigned int len)
{
unsigned int i, j;
for (i = 0, j = 0; j < len; i++, j += 4) {
output[j] = (unsigned char) (input[i] & 0xff);
output[j + 1] = (unsigned char) ((input[i] >> 8) & 0xff);
output[j + 2] = (unsigned char) ((input[i] >> 16) & 0xff);
output[j + 3] = (unsigned char) ((input[i] >> 24) & 0xff);
}
}
/*
* Decodes input (unsigned char) into output (UINT4).
* Assumes len is a multiple of 4.
*/
static VOIDRET EDecode FUNCTION((output, input, len), UINT4 *output AND unsigned char *input AND unsigned int len)
{
unsigned int i, j;
for (i = 0, j = 0; j < len; i++, j += 4)
output[i] = ((UINT4) input[j]) | (((UINT4) input[j + 1]) << 8) |
(((UINT4) input[j + 2]) << 16) | (((UINT4) input[j + 3]) << 24);
}
/* F, G, H and I are basic MD5 functions. */
#define F(x, y, z) (((x) & (y)) | ((~x) & (z)))
#define G(x, y, z) (((x) & (z)) | ((y) & (~z)))
#define H(x, y, z) ((x) ^ (y) ^ (z))
#define I(x, y, z) ((y) ^ ((x) | (~z)))
/* ROTATE_LEFT rotates x left n bits. */
#define ROTATE_LEFT(x, n) (((x) << (n)) | ((x) >> (32-(n))))
/* FF, GG, HH, and II transformations for rounds 1, 2, 3, and 4.
Rotation is separate from addition to prevent recomputation. */
#define FF(a, b, c, d, x, s, ac) { \
(a) += F ((b), (c), (d)) + (x) + (UINT4)(ac); \
(a) = ROTATE_LEFT ((a), (s)); \
(a) += (b); \
}
#define GG(a, b, c, d, x, s, ac) { \
(a) += G ((b), (c), (d)) + (x) + (UINT4)(ac); \
(a) = ROTATE_LEFT ((a), (s)); \
(a) += (b); \
}
#define HH(a, b, c, d, x, s, ac) { \
(a) += H ((b), (c), (d)) + (x) + (UINT4)(ac); \
(a) = ROTATE_LEFT ((a), (s)); \
(a) += (b); \
}
#define II(a, b, c, d, x, s, ac) { \
(a) += I ((b), (c), (d)) + (x) + (UINT4)(ac); \
(a) = ROTATE_LEFT ((a), (s)); \
(a) += (b); \
}
/* MD5 initialization. Begins an MD5 operation, writing a new context. */
VOIDRET opiemd5init FUNCTION((context), struct opiemdx_ctx *context)
{
context->count[0] = context->count[1] = 0;
/* Load magic initialization constants. */
context->state[0] = 0x67452301;
context->state[1] = 0xefcdab89;
context->state[2] = 0x98badcfe;
context->state[3] = 0x10325476;
}
/*
* MD5 block update operation. Continues an MD5 message-digest
* operation, processing another message block, and updating the
* context.
*/
VOIDRET opiemd5update FUNCTION((context, input, inputLen), struct opiemdx_ctx *context AND unsigned char *input AND unsigned int inputLen)
{
unsigned int i, index, partLen;
/* Compute number of bytes mod 64 */
index = (unsigned int) ((context->count[0] >> 3) & 0x3F);
/* Update number of bits */
if ((context->count[0] += ((UINT4) inputLen << 3)) < ((UINT4) inputLen << 3))
context->count[1]++;
context->count[1] += ((UINT4) inputLen >> 29);
partLen = 64 - index;
/* Transform as many times as possible. */
if (inputLen >= partLen) {
memcpy((VOIDPTR)&context->buffer[index], (VOIDPTR)input, partLen);
MD5Transform(context->state, context->buffer);
for (i = partLen; i + 63 < inputLen; i += 64)
MD5Transform(context->state, &input[i]);
index = 0;
} else
i = 0;
/* Buffer remaining input */
memcpy((VOIDPTR) & context->buffer[index],
(VOIDPTR) & input[i],
inputLen - i);
}
/* MD5 finalization. Ends an MD5 message-digest operation, writing the
the message digest and zeroizing the context.
*/
VOIDRET opiemd5final FUNCTION((digest, context), unsigned char *digest AND struct opiemdx_ctx *context)
{
unsigned char bits[8];
unsigned int index, padLen;
/* Save number of bits */
EEncode(bits, context->count, 8);
/* Pad out to 56 mod 64. */
index = (unsigned int) ((context->count[0] >> 3) & 0x3f);
padLen = (index < 56) ? (56 - index) : (120 - index);
opiemd5update(context, PADDING, padLen);
/* Append length (before padding) */
opiemd5update(context, bits, 8);
/* Store state in digest */
EEncode(digest, context->state, 16);
/* Zeroize sensitive information. */
memset((VOIDPTR) context, 0, sizeof(*context));
}
/* MD5 basic transformation. Transforms state based on block. */
static VOIDRET MD5Transform FUNCTION((state, block), UINT4 state[4] AND unsigned char block[64])
{
UINT4 a = state[0], b = state[1], c = state[2], d = state[3], x[16];
EDecode(x, block, 64);
/* Round 1 */
FF(a, b, c, d, x[0], S11, 0xd76aa478); /* 1 */
FF(d, a, b, c, x[1], S12, 0xe8c7b756); /* 2 */
FF(c, d, a, b, x[2], S13, 0x242070db); /* 3 */
FF(b, c, d, a, x[3], S14, 0xc1bdceee); /* 4 */
FF(a, b, c, d, x[4], S11, 0xf57c0faf); /* 5 */
FF(d, a, b, c, x[5], S12, 0x4787c62a); /* 6 */
FF(c, d, a, b, x[6], S13, 0xa8304613); /* 7 */
FF(b, c, d, a, x[7], S14, 0xfd469501); /* 8 */
FF(a, b, c, d, x[8], S11, 0x698098d8); /* 9 */
FF(d, a, b, c, x[9], S12, 0x8b44f7af); /* 10 */
FF(c, d, a, b, x[10], S13, 0xffff5bb1); /* 11 */
FF(b, c, d, a, x[11], S14, 0x895cd7be); /* 12 */
FF(a, b, c, d, x[12], S11, 0x6b901122); /* 13 */
FF(d, a, b, c, x[13], S12, 0xfd987193); /* 14 */
FF(c, d, a, b, x[14], S13, 0xa679438e); /* 15 */
FF(b, c, d, a, x[15], S14, 0x49b40821); /* 16 */
/* Round 2 */
GG(a, b, c, d, x[1], S21, 0xf61e2562); /* 17 */
GG(d, a, b, c, x[6], S22, 0xc040b340); /* 18 */
GG(c, d, a, b, x[11], S23, 0x265e5a51); /* 19 */
GG(b, c, d, a, x[0], S24, 0xe9b6c7aa); /* 20 */
GG(a, b, c, d, x[5], S21, 0xd62f105d); /* 21 */
GG(d, a, b, c, x[10], S22, 0x2441453); /* 22 */
GG(c, d, a, b, x[15], S23, 0xd8a1e681); /* 23 */
GG(b, c, d, a, x[4], S24, 0xe7d3fbc8); /* 24 */
GG(a, b, c, d, x[9], S21, 0x21e1cde6); /* 25 */
GG(d, a, b, c, x[14], S22, 0xc33707d6); /* 26 */
GG(c, d, a, b, x[3], S23, 0xf4d50d87); /* 27 */
GG(b, c, d, a, x[8], S24, 0x455a14ed); /* 28 */
GG(a, b, c, d, x[13], S21, 0xa9e3e905); /* 29 */
GG(d, a, b, c, x[2], S22, 0xfcefa3f8); /* 30 */
GG(c, d, a, b, x[7], S23, 0x676f02d9); /* 31 */
GG(b, c, d, a, x[12], S24, 0x8d2a4c8a); /* 32 */
/* Round 3 */
HH(a, b, c, d, x[5], S31, 0xfffa3942); /* 33 */
HH(d, a, b, c, x[8], S32, 0x8771f681); /* 34 */
HH(c, d, a, b, x[11], S33, 0x6d9d6122); /* 35 */
HH(b, c, d, a, x[14], S34, 0xfde5380c); /* 36 */
HH(a, b, c, d, x[1], S31, 0xa4beea44); /* 37 */
HH(d, a, b, c, x[4], S32, 0x4bdecfa9); /* 38 */
HH(c, d, a, b, x[7], S33, 0xf6bb4b60); /* 39 */
HH(b, c, d, a, x[10], S34, 0xbebfbc70); /* 40 */
HH(a, b, c, d, x[13], S31, 0x289b7ec6); /* 41 */
HH(d, a, b, c, x[0], S32, 0xeaa127fa); /* 42 */
HH(c, d, a, b, x[3], S33, 0xd4ef3085); /* 43 */
HH(b, c, d, a, x[6], S34, 0x4881d05); /* 44 */
HH(a, b, c, d, x[9], S31, 0xd9d4d039); /* 45 */
HH(d, a, b, c, x[12], S32, 0xe6db99e5); /* 46 */
HH(c, d, a, b, x[15], S33, 0x1fa27cf8); /* 47 */
HH(b, c, d, a, x[2], S34, 0xc4ac5665); /* 48 */
/* Round 4 */
II(a, b, c, d, x[0], S41, 0xf4292244); /* 49 */
II(d, a, b, c, x[7], S42, 0x432aff97); /* 50 */
II(c, d, a, b, x[14], S43, 0xab9423a7); /* 51 */
II(b, c, d, a, x[5], S44, 0xfc93a039); /* 52 */
II(a, b, c, d, x[12], S41, 0x655b59c3); /* 53 */
II(d, a, b, c, x[3], S42, 0x8f0ccc92); /* 54 */
II(c, d, a, b, x[10], S43, 0xffeff47d); /* 55 */
II(b, c, d, a, x[1], S44, 0x85845dd1); /* 56 */
II(a, b, c, d, x[8], S41, 0x6fa87e4f); /* 57 */
II(d, a, b, c, x[15], S42, 0xfe2ce6e0); /* 58 */
II(c, d, a, b, x[6], S43, 0xa3014314); /* 59 */
II(b, c, d, a, x[13], S44, 0x4e0811a1); /* 60 */
II(a, b, c, d, x[4], S41, 0xf7537e82); /* 61 */
II(d, a, b, c, x[11], S42, 0xbd3af235); /* 62 */
II(c, d, a, b, x[2], S43, 0x2ad7d2bb); /* 63 */
II(b, c, d, a, x[9], S44, 0xeb86d391); /* 64 */
state[0] += a;
state[1] += b;
state[2] += c;
state[3] += d;
/* Zeroize sensitive information. */
memset((VOIDPTR)x, 0, sizeof(x));
}

96
contrib/opie/libopie/newseed.c
View File

@ -1,96 +0,0 @@
/* newseed.c: The opienewseed() library function.
%%% copyright-cmetz-96
This software is Copyright 1996-2001 by Craig Metz, All Rights Reserved.
The Inner Net License Version 3 applies to this software.
You should have received a copy of the license with this software. If
you didn't get a copy, you may request one from <license@inner.net>.
History:
Modified by cmetz for OPIE 2.4. Greatly simplified increment. Now does
not add digits. Reformatted the code.
Modified by cmetz for OPIE 2.32. Added syslog.h if DEBUG.
Modified by cmetz for OPIE 2.31. Added time.h.
Created by cmetz for OPIE 2.22.
$FreeBSD$
*/
#include "opie_cfg.h"
#ifndef HAVE_TIME_H
#define HAVE_TIME_H 1
#endif
#if HAVE_TIME_H
#include <time.h>
#endif /* HAVE_TIME_H */
#if HAVE_STRING_H
#include <string.h>
#endif /* HAVE_STRING_H */
#include <ctype.h>
#if HAVE_UNISTD_H
#include <unistd.h>
#endif /* HAVE_UNISTD_H */
#if HAVE_SYS_UTSNAME_H
#include <sys/utsname.h>
#endif /* HAVE_SYS_UTSNAME_H */
#include <errno.h>
#if DEBUG
#include <syslog.h>
#endif /* DEBUG */
#include <stdio.h>
#include <stdlib.h>
#include "opie.h"
int opienewseed FUNCTION((seed), char *seed)
{
if (!seed)
return -1;
if (seed[0]) {
char *c;
unsigned int i, max;
if ((i = strlen(seed)) > OPIE_SEED_MAX)
i = OPIE_SEED_MAX;
for (c = seed + i - 1, max = 1;
(c >= seed) && isdigit(*c); c--)
max *= 10;
if ((i = strtoul(++c, (char **)0, 10)) < max) {
if (++i >= max)
i = 1;
sprintf(c, "%d", i);
return 0;
}
}
{
time_t now;
time(&now);
srand(now);
}
{
struct utsname utsname;
if (uname(&utsname) < 0) {
#if DEBUG
syslog(LOG_DEBUG, "uname: %s(%d)", strerror(errno),
errno);
#endif /* DEBUG */
utsname.nodename[0] = 'k';
utsname.nodename[1] = 'e';
}
utsname.nodename[2] = 0;
if (snprintf(seed, OPIE_SEED_MAX+1, "%s%04d", utsname.nodename,
(rand() % 9999) + 1) >= OPIE_SEED_MAX+1)
return -1;
return 0;
}
}

77
contrib/opie/libopie/open.c
View File

@ -1,77 +0,0 @@
/* open.c: The __opieopen() library function.
%%% copyright-cmetz-96
This software is Copyright 1996-2001 by Craig Metz, All Rights Reserved.
The Inner Net License Version 3 applies to this software.
You should have received a copy of the license with this software. If
you didn't get a copy, you may request one from <license@inner.net>.
History:
Modified by cmetz for OPIE 2.4. More portable way to get the mode
string for fopen.
Created by cmetz for OPIE 2.3.
*/
#include "opie_cfg.h"
#include <stdio.h>
#include <sys/types.h>
#if HAVE_UNISTD_H
#include <unistd.h>
#endif /* HAVE_UNISTD_H */
#include <sys/stat.h>
#include <errno.h>
#include "opie.h"
#if !HAVE_LSTAT
#define lstat(x, y) stat(x, y)
#endif /* !HAVE_LSTAT */
FILE *__opieopen FUNCTION((file, rw, mode), char *file AND int rw AND int mode)
{
FILE *f;
struct stat st;
if (lstat(file, &st)) {
if (errno != ENOENT)
return NULL;
if (!(f = fopen(file, "w")))
return NULL;
fclose(f);
if (chmod(file, mode))
return NULL;
if (lstat(file, &st))
return NULL;
}
if (!S_ISREG(st.st_mode))
return NULL;
{
char *fmode;
switch(rw) {
case 0:
fmode = "r";
break;
case 1:
fmode = "r+";
break;
case 2:
fmode = "a";
break;
default:
return NULL;
};
if (!(f = fopen(file, fmode)))
return NULL;
}
return f;
}

82
contrib/opie/libopie/parsechallenge.c
View File

@ -1,82 +0,0 @@
/* parsechallenge.c: The __opieparsechallenge() library function.
%%% copyright-cmetz-96
This software is Copyright 1996-2001 by Craig Metz, All Rights Reserved.
The Inner Net License Version 3 applies to this software.
You should have received a copy of the license with this software. If
you didn't get a copy, you may request one from <license@inner.net>.
History:
Modified by cmetz for OPIE 2.4. Use OPIE_SEQUENCE_MAX, check for
sequence number of zero.
Modified by cmetz for OPIE 2.32. Check for extended response sets.
Change prefix to double underscore.
Created by cmetz for OPIE 2.3 using generator.c as a guide.
*/
#include "opie_cfg.h"
#if HAVE_STRING_H
#include <string.h>
#endif /* HAVE_STRING_H */
#include <ctype.h>
#include <stdlib.h>
#include "opie.h"
struct algorithm {
char *name;
int num;
};
static struct algorithm algorithms[] = {
{ "md5", 5 },
{ "md4", 4 },
{ "sha1", 3 },
{ NULL, 0 },
};
int __opieparsechallenge FUNCTION((buffer, algorithm, sequence, seed, exts), char *buffer AND int *algorithm AND int *sequence AND char **seed AND int *exts)
{
char *c;
if (!(c = strchr(buffer, ' ')))
return 1;
{
struct algorithm *a;
for (a = algorithms; a->name && strncmp(buffer, a->name, (int)(c - buffer)); a++);
if (!a->name)
return -1;
*algorithm = a->num;
}
if (((*sequence = strtoul(++c, &c, 10)) > OPIE_SEQUENCE_MAX) || !*sequence)
return -1;
while(*c && isspace(*c)) c++;
if (!*c)
return -1;
buffer = c;
while(*c && !isspace(*c)) c++;
{
int i = (int)(c - buffer);
if ((i > OPIE_SEED_MAX) || (i < OPIE_SEED_MIN))
return -1;
}
*seed = buffer;
*(c++) = 0;
while(*c && !isspace(*c)) c++;
if (*c && !strncmp(c, "ext", 3))
*exts = 1;
else
*exts = 0;
return 0;
}

50
contrib/opie/libopie/passcheck.c
View File

@ -1,50 +0,0 @@
/* passcheck.c: The opiepasscheck() library function.
%%% portions-copyright-cmetz-96
Portions of this software are Copyright 1996-1999 by Craig Metz, All Rights
Reserved. The Inner Net License Version 2 applies to these portions of
the software.
You should have received a copy of the license with this software. If
you didn't get a copy, you may request one from <license@inner.net>.
Portions of this software are Copyright 1995 by Randall Atkinson and Dan
McDonald, All Rights Reserved. All Rights under this copyright are assigned
to the U.S. Naval Research Laboratory (NRL). The NRL Copyright Notice and
License Agreement applies to this software.
History:
Modified by cmetz for OPIE 2.3. OPIE_PASS_{MIN,MAX} changed to
OPIE_SECRET_{MIN,MAX}.
Modified by cmetz for OPIE 2.2. Use FUNCTION declaration et al.
Created at NRL for OPIE 2.2 from opiesubr.c.
*/
#include "opie_cfg.h"
#include <stdio.h>
#include <string.h>
#include "opie.h"
/*
Applies "good password" rules to the secret pass phrase.
We currently implement the following:
Passwords must be at least OPIE_SECRET_MIN (10) characters long.
Passwords must be at most OPIE_SECRET_MAX (127) characters long.
N.B.: Passing NULL pointers to this function is a bad idea.
*/
int opiepasscheck FUNCTION((secret), char *secret)
{
int len = strlen(secret);
if (len < OPIE_SECRET_MIN)
return 1;
if (len > OPIE_SECRET_MAX)
return 1;
return 0;
}

76
contrib/opie/libopie/passwd.c
View File

@ -1,76 +0,0 @@
/* passwd.c: The opiepasswd() library function.
%%% copyright-cmetz-96
This software is Copyright 1996-2001 by Craig Metz, All Rights Reserved.
The Inner Net License Version 3 applies to this software.
You should have received a copy of the license with this software. If
you didn't get a copy, you may request one from <license@inner.net>.
History:
Modified by cmetz for OPIE 2.32. Renamed mode to flags. Made flag
values symbolic constants. Added a flag for insecure override
support.
Modified by cmetz for OPIE 2.31. Removed active attack protection
support.
Modified by cmetz for OPIE 2.3. Split most of the function off
and turned this into a front-end for the new __opiewriterec().
Added code to compute the key from the secret. Use the opie_
prefix. Use new opieatob8() and opiebtoa8() return values.
Created by cmetz for OPIE 2.22.
*/
#include <string.h>
#include "opie_cfg.h"
#include "opie.h"
int opiepasswd FUNCTION((old, flags, principal, n, seed, ks), struct opie *old AND int flags AND char *principal AND int n AND char *seed AND char *ks)
{
int i;
struct opie opie;
if ((flags & OPIEPASSWD_CONSOLE) && opieinsecure())
#if INSECURE_OVERRIDE
if (!(flags & OPIEPASSWD_FORCE))
#endif /* INSECURE_OVERRIDE */
return -1;
memset(&opie, 0, sizeof(struct opie));
if (old) {
opie.opie_flags = old->opie_flags;
opie.opie_recstart = old->opie_recstart;
}
opie.opie_principal = principal;
opie.opie_n = n;
opie.opie_seed = seed;
if (ks) {
struct opie_otpkey key;
if (flags & OPIEPASSWD_CONSOLE) {
if (opiekeycrunch(MDX, &key, seed, ks))
return -1;
for (i = n; i; i--)
opiehash(&key, MDX);
if (!(opie.opie_val = opiebtoa8(opie.opie_buf, &key)))
return -1;
} else {
if ((opieetob(&key, ks) != 1) && !opieatob8(&key, ks))
return 1;
if (!(opie.opie_val = opiebtoa8(opie.opie_buf, &key)))
return 1;
}
}
if (opielock(principal))
return -1;
i = __opiewriterec(&opie);
if (opieunlock())
return -1;
return i;
}

50
contrib/opie/libopie/randomchallenge.c
View File

@ -1,50 +0,0 @@
/* randomchallenge.c: The opierandomchallenge() library function.
%%% portions-copyright-cmetz-96
Portions of this software are Copyright 1996-1999 by Craig Metz, All Rights
Reserved. The Inner Net License Version 2 applies to these portions of
the software.
You should have received a copy of the license with this software. If
you didn't get a copy, you may request one from <license@inner.net>.
Portions of this software are Copyright 1995 by Randall Atkinson and Dan
McDonald, All Rights Reserved. All Rights under this copyright are assigned
to the U.S. Naval Research Laboratory (NRL). The NRL Copyright Notice and
License Agreement applies to this software.
History:
Modified by cmetz for OPIE 2.4. Use snprintf().
Modified by cmetz for OPIE 2.32. Initialize algids[] with 0s
instead of NULL.
Modified by cmetz for OPIE 2.3. Add sha support.
Modified by cmetz for OPIE 2.22. Don't include stdio.h.
Use opienewseed(). Don't include unneeded headers.
Modified by cmetz for OPIE 2.2. Use FUNCTION declaration et al.
Changed use of gethostname() to uname(). Ifdefed around some
headers.
Created at NRL for OPIE 2.2 from opiesubr2.c
*/
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include "opie_cfg.h"
#include "opie.h"
static char *algids[] = { 0, 0, 0, "sha1", "md4", "md5" };
/* Generate a random challenge */
/* This could grow into quite a monster, really. Random is good enough for
most situations; it is certainly better than a fixed string */
VOIDRET opierandomchallenge FUNCTION((prompt), char *prompt)
{
char buf[OPIE_SEED_MAX+1];
buf[0] = 0;
if (opienewseed(buf))
strcpy(buf, "ke4452");
snprintf(prompt, OPIE_CHALLENGE_MAX+1, "otp-%s %d %s ext", algids[MDX],
(rand() % 499) + 1, buf);
}

315
contrib/opie/libopie/readpass.c
View File

@ -1,315 +0,0 @@
/* readpass.c: The opiereadpass() library function.
%%% portions-copyright-cmetz-96
Portions of this software are Copyright 1996-1999 by Craig Metz, All Rights
Reserved. The Inner Net License Version 2 applies to these portions of
the software.
You should have received a copy of the license with this software. If
you didn't get a copy, you may request one from <license@inner.net>.
Portions of this software are Copyright 1995 by Randall Atkinson and Dan
McDonald, All Rights Reserved. All Rights under this copyright are assigned
to the U.S. Naval Research Laboratory (NRL). The NRL Copyright Notice and
License Agreement applies to this software.
History:
Modified by cmetz for OPIE 2.31. Use usleep() to delay after setting
the terminal attributes; this might help certain buggy
systems.
Modified by cmetz for OPIE 2.3. Use TCSAFLUSH always.
Modified by cmetz for OPIE 2.22. Replaced echo w/ flags.
Really use FUNCTION.
Modified by cmetz for OPIE 2.2. Use FUNCTION declaration et al.
Flush extraneous characters up to eol. Handle gobs of possible
erase and kill keys if on a terminal. To do so, use RAW
terminal I/O and handle echo ourselves. (should also help
DOS et al portability). Fixed include order. Re-did MSDOS
and OS/2 includes. Set up VMIN and VTIME. Added some non-UNIX
portability cruft. Limit backspacing and killing. In terminal
mode, eat random other control characters. Added eof handling.
Created at NRL for OPIE 2.2 from opiesubr.c. Change opiestrip_crlf to
opiestripcrlf. Don't strip to seven bits.
*/
#include "opie_cfg.h"
#include <stdio.h>
#include <string.h>
#include <stdlib.h> /* ANSI C standard library */
#ifdef unix
#include <fcntl.h> /* POSIX file control function headers */
#include <termios.h> /* POSIX Terminal I/O functions */
#if HAVE_UNISTD_H
#include <unistd.h> /* POSIX standard definitions */
#endif /* HAVE_UNISTD_H */
#include <signal.h>
#include <setjmp.h>
#endif /* unix */
#ifdef __MSDOS__
#include <dos.h>
#endif /* __MSDOS__ */
#ifdef __OS2__
#define INCL_KBD
#include <os2.h>
#include <io.h>
#endif /* __OS2__ */
#include "opie.h"
#define CONTROL(x) (x - 64)
char *bsseq = "\b \b";
#ifdef unix
static jmp_buf jmpbuf;
static VOIDRET catch FUNCTION((i), int i)
{
longjmp(jmpbuf, 1);
}
#endif /* unix */
char *opiereadpass FUNCTION((buf, len, flags), char *buf AND int len AND int flags)
{
#ifdef unix
struct termios attr, orig_attr;
#endif /* unix */
char erase[5];
char kill[4];
char eof[4];
memset(erase, 0, sizeof(erase));
memset(kill, 0, sizeof(kill));
memset(eof, 0, sizeof(eof));
/* This section was heavily rewritten by rja following the model of code
samples circa page 151 of the POSIX Programmer's Guide by Donald Lewine,
ISBN 0-937175-73-0. That book is Copyright 1991 by O'Reilly &
Associates, Inc. All Rights Reserved. I recommend the book to anyone
trying to write portable software. rja */
#ifdef unix
if (setjmp(jmpbuf))
goto error;
signal(SIGINT, catch);
#endif /* unix */
/* Flush any pending output */
fflush(stderr);
fflush(stdout);
#ifdef unix
/* Get original terminal attributes */
if (isatty(0)) {
if (tcgetattr(0, &orig_attr))
return NULL;
/* copy terminal settings into attr */
memcpy(&attr, &orig_attr, sizeof(struct termios));
attr.c_lflag &= ~(ECHO | ICANON);
attr.c_lflag |= ISIG;
attr.c_cc[VMIN] = 1;
attr.c_cc[VTIME] = 0;
erase[0] = CONTROL('H');
erase[1] = 127;
#ifdef CERASE
{
char *e = erase;
while(*e)
if (*(e++) == CERASE)
break;
if (!*e)
*e = CERASE;
}
#endif /* CERASE */
#ifdef VERASE
{
char *e = erase;
while(*e)
if (*(e++) == attr.c_cc[VERASE])
break;
if (!*e)
*e = attr.c_cc[VERASE];
}
#endif /* VERASE */
kill[0] = CONTROL('U');
#ifdef CKILL
{
char *e = kill;
while(*e)
if (*(e++) == CKILL)
break;
if (!*e)
*e = CKILL;
}
#endif /* CKILL */
#ifdef VKILL
{
char *e = kill;
while(*e)
if (*(e++) == attr.c_cc[VKILL])
break;
if (!*e)
*e = attr.c_cc[VKILL];
}
#endif /* VKILL */
eof[0] = CONTROL('D');
#ifdef CEOF
{
char *e = eof;
while(*e)
if (*(e++) == CEOF)
break;
if (!*e)
*e = CEOF;
}
#endif /* CEOF */
#ifdef VEOF
{
char *e = eof;
while(*e)
if (*(e++) == attr.c_cc[VEOF])
break;
if (!*e)
*e = VEOF;
}
#endif /* VEOF */
#if HAVE_USLEEP
usleep(1);
#endif /* HAVE_USLEEP */
if (tcsetattr(0, TCSAFLUSH, &attr))
goto error;
#if HAVE_USLEEP
usleep(1);
#endif /* HAVE_USLEEP */
}
#else /* unix */
erase[0] = CONTROL('H');
erase[1] = 127;
kill[0] = CONTROL('U');
eof[0] = CONTROL('D');
eof[1] = CONTROL('Z');
#endif /* unix */
{
char *c = buf, *end = buf + len, *e;
#ifdef __OS2__
KBDKEYINFO keyInfo;
#endif /* __OS2__ */
loop:
#ifdef unix
if (read(0, c, 1) != 1)
goto error;
#endif /* unix */
#ifdef MSDOS
*c = bdos(7, 0, 0);
#endif /* MSDOS */
#ifdef __OS2__
KbdCharIn(&keyInfo, 0, 0);
*c = keyInfo.chChar;
#endif /* __OS2__ */
if ((*c == '\r') || (*c == '\n')) {
*c = 0;
goto restore;
}
e = eof;
while(*e)
if (*(e++) == *c)
goto error;
e = erase;
while(*e)
if (*(e++) == *c) {
if (c <= buf)
goto beep;
if (flags & 1)
write(1, bsseq, sizeof(bsseq) - 1);
c--;
goto loop;
}
e = kill;
while(*e)
if (*(e++) == *c) {
if (c <= buf)
goto beep;
if (flags & 1)
while(c-- > buf)
write(1, bsseq, sizeof(bsseq) - 1);
c = buf;
goto loop;
}
if (c < end) {
if (*c < 32)
goto beep;
if (flags & 1)
write(1, c, 1);
c++;
} else {
beep:
*c = CONTROL('G');
write(1, c, 1);
}
goto loop;
}
restore:
#ifdef unix
/* Restore previous tty modes */
if (isatty(0))
if (tcsetattr(0, TCSAFLUSH, &orig_attr))
return NULL;
signal(SIGINT, SIG_DFL);
#endif /* unix */
/* After the secret key is taken from the keyboard, the line feed is
written to standard error instead of standard output. That means that
anyone using the program from a terminal won't notice, but capturing
standard output will get the key words without a newline in front of
them. */
if (!(flags & 4)) {
fprintf(stderr, "\n");
fflush(stderr);
}
return buf;
error:
*buf = 0;
buf = NULL;
goto restore;
}

167
contrib/opie/libopie/readrec.c
View File

@ -1,167 +0,0 @@
/* readrec.c: The __opiereadrec() library function.
%%% copyright-cmetz-96
This software is Copyright 1996-2001 by Craig Metz, All Rights Reserved.
The Inner Net License Version 3 applies to this software.
You should have received a copy of the license with this software. If
you didn't get a copy, you may request one from <license@inner.net>.
History:
Modified by cmetz for OPIE 2.4. Check that seed, sequence number, and
response values are valid.
Modified by cmetz for OPIE 2.31. Removed active attack protection
support. Fixed a debug message typo. Keep going after bogus
records. Set read flag.
Created by cmetz for OPIE 2.3.
$FreeBSD$
*/
#include "opie_cfg.h"
#include <stdio.h>
#include <sys/types.h>
#include <errno.h>
#if HAVE_UNISTD_H
#include <unistd.h>
#endif /* HAVE_UNISTD_H */
#if HAVE_STRING_H
#include <string.h>
#endif /* HAVE_STRING_H */
#if HAVE_STDLIB_H
#include <stdlib.h>
#endif /* HAVE_STDLIB_H */
#if HAVE_FCNTL_H
#include <fcntl.h>
#endif /* HAVE_FCNTL_H */
#include <ctype.h>
#include <errno.h>
#if DEBUG
#include <syslog.h>
#endif /* DEBUG */
#include "opie.h"
static int parserec FUNCTION((opie), struct opie *opie)
{
char *c, *c2;
if (!(c2 = strchr(opie->opie_principal = opie->opie_buf, ' ')))
return -1;
while(*c2 == ' ') c2++;
*(c2 - 1) = 0;
if (!(c2 = strchr(c = c2, ' ')))
return -1;
*(c2++) = 0;
{
char *c3;
opie->opie_n = strtoul(c, &c3, 10);
if (*c3 || (opie->opie_n <= 0) || (opie->opie_n > 9999))
return -1;
};
if (!(c2 = strchr(opie->opie_seed = c2, ' ')))
return -1;
*(c2++) = 0;
for (c = opie->opie_seed; *c; c++)
if (!isalnum(*c))
return -1;
while(*c2 == ' ') c2++;
if (!(c2 = strchr(opie->opie_val = c2, ' ')))
return -1;
*(c2++) = 0;
{
struct opie_otpkey otpkey;
if (!opieatob8(&otpkey, opie->opie_val))
return -1;
}
return 0;
}
int __opiereadrec FUNCTION((opie), struct opie *opie)
{
FILE *f = NULL;
int rval = -1;
if (!(f = __opieopen(KEY_FILE, 0, 0600))) {
#if DEBUG
syslog(LOG_DEBUG, "__opiereadrec: __opieopen(KEY_FILE..) failed!");
#endif /* DEBUG */
goto ret;
}
{
int i;
if ((i = open(KEY_FILE, O_RDWR)) < 0) {
opie->opie_flags &= ~__OPIE_FLAGS_RW;
#if DEBUG
syslog(LOG_DEBUG, "__opiereadrec: open(KEY_FILE, O_RDWR) failed: %s", strerror(errno));
#endif /* DEBUG */
} else {
close(i);
opie->opie_flags |= __OPIE_FLAGS_RW;
}
}
if (opie->opie_buf[0]) {
if (fseek(f, opie->opie_recstart, SEEK_SET))
goto ret;
if (fgets(opie->opie_buf, sizeof(opie->opie_buf), f))
goto ret;
if (parserec(opie))
goto ret;
opie->opie_flags |= __OPIE_FLAGS_READ;
rval = 0;
goto ret;
}
if (!opie->opie_principal)
goto ret;
{
char *c, principal[OPIE_PRINCIPAL_MAX];
int i;
if (c = strchr(opie->opie_principal, ':'))
*c = 0;
strlcpy(principal, opie->opie_principal, sizeof(principal));
do {
if ((opie->opie_recstart = ftell(f)) < 0)
goto ret;
if (!fgets(opie->opie_buf, sizeof(opie->opie_buf), f)) {
rval = 1;
goto ret;
}
if (parserec(opie))
continue;
} while (strcmp(principal, opie->opie_principal));
rval = 0;
}
ret:
if (f)
fclose(f);
return rval;
}

103
contrib/opie/libopie/unlock.c
View File

@ -1,103 +0,0 @@
/* unlock.c: The opieunlock() library function.
%%% portions-copyright-cmetz-96
Portions of this software are Copyright 1996-1999 by Craig Metz, All Rights
Reserved. The Inner Net License Version 2 applies to these portions of
the software.
You should have received a copy of the license with this software. If
you didn't get a copy, you may request one from <license@inner.net>.
Portions of this software are Copyright 1995 by Randall Atkinson and Dan
McDonald, All Rights Reserved. All Rights under this copyright are assigned
to the U.S. Naval Research Laboratory (NRL). The NRL Copyright Notice and
License Agreement applies to this software.
History:
Modified by cmetz for OPIE 2.31. Bug fix.
Modified by cmetz for OPIE 2.3. Do refcounts whether or not
we actually lock. Fixed USER_LOCKING=0 case.
Modified by cmetz for OPIE 2.22. Added reference count support.
Changed lock filename/refcount symbol names to better indicate
that they're not user serviceable.
Modified by cmetz for OPIE 2.2. Use FUNCTION declaration.
Check for read() == -1. ifdef around unistd.h.
Created at NRL for OPIE 2.2 from opiesubr2.c
*/
#include "opie_cfg.h"
#include <string.h>
#if HAVE_UNISTD_H
#include <unistd.h>
#endif /* HAVE_UNISTD_H */
#include <fcntl.h>
#include "opie.h"
extern int __opie_lockrefcount;
#if USER_LOCKING
extern char *__opie_lockfilename;
#endif /* USER_LOCKING */
/*
Just remove the lock, right?
Well, not exactly -- we need to make sure it's ours.
*/
int opieunlock FUNCTION_NOARGS
{
#if USER_LOCKING
int fh, rval = -1, pid, t, i;
char buffer[128], *c, *c2;
if (--__opie_lockrefcount > 0)
return 0;
if (!__opie_lockfilename)
return -1;
if (!(fh = open(__opie_lockfilename, O_RDWR, 0600)))
goto unlockret;
if ((i = read(fh, buffer, sizeof(buffer))) < 0)
goto unlockret;
buffer[sizeof(buffer) - 1] = 0;
buffer[i - 1] = 0;
if (!(c = strchr(buffer, '\n')))
goto unlockret;
*(c++) = 0;
if (!(c2 = strchr(c, '\n')))
goto unlockret;
*(c2++) = 0;
if (!(pid = atoi(buffer)))
goto unlockret;
if (!(t = atoi(c)))
goto unlockret;
if ((pid != getpid()) && (time(0) <= OPIE_LOCK_TIMEOUT + t) && (!kill(pid, 0))) {
rval = 1;
goto unlockret1;
}
rval = 0;
unlockret:
unlink(__opie_lockfilename);
unlockret1:
if (fh)
close(fh);
free(__opie_lockfilename);
__opie_lockfilename = NULL;
return rval;
#else /* USER_LOCKING */
if (__opie_lockrefcount-- > 0)
return 0;
return -1;
#endif /* USER_LOCKING */
}

222
contrib/opie/libopie/verify.c
View File

@ -1,222 +0,0 @@
/* verify.c: The opieverify() library function.
%%% copyright-cmetz-96
This software is Copyright 1996-2001 by Craig Metz, All Rights Reserved.
The Inner Net License Version 3 applies to this software.
You should have received a copy of the license with this software. If
you didn't get a copy, you may request one from <license@inner.net>.
History:
Modified by cmetz for OPIE 2.4. Use struct opie_otpkey for keys.
Check that seed and sequence number are valid.
Modified by cmetz for OPIE 2.32. Renamed _opieparsechallenge() to
__opieparsechallenge() and handle new argument. Fixed init
response parsing bug.
Modified by cmetz for OPIE 2.31. Renamed "init" to "init-hex".
Modified by cmetz for OPIE 2.31. Renamed "init" and "RESPONSE_INIT"
to "init-hex" and "RESPONSE_INIT_HEX". Removed active attack
protection support.
Created by cmetz for OPIE 2.3 using the old verify.c as a guide.
*/
#include "opie_cfg.h"
#ifdef HAVE_STRING_H
#include <string.h>
#endif /* HAVE_STRING_H */
#include <ctype.h>
#include "opie.h"
#define RESPONSE_STANDARD 0
#define RESPONSE_WORD 1
#define RESPONSE_HEX 2
#define RESPONSE_INIT_HEX 3
#define RESPONSE_INIT_WORD 4
#define RESPONSE_UNKNOWN 5
struct _rtrans {
int type;
char *name;
};
static struct _rtrans rtrans[] = {
{ RESPONSE_WORD, "word" },
{ RESPONSE_HEX, "hex" },
{ RESPONSE_INIT_HEX, "init-hex" },
{ RESPONSE_INIT_WORD, "init-word" },
{ RESPONSE_STANDARD, "" },
{ RESPONSE_UNKNOWN, NULL }
};
static char *algids[] = { NULL, NULL, NULL, "sha1", "md4", "md5" };
static int changed FUNCTION((opie), struct opie *opie)
{
struct opie opie2;
memset(&opie2, 0, sizeof(struct opie));
opie2.opie_principal = opie->opie_principal;
if (__opiereadrec(&opie2))
return 1;
if ((opie2.opie_n != opie->opie_n) || strcmp(opie2.opie_val, opie->opie_val) || strcmp(opie2.opie_seed, opie->opie_seed))
return 1;
memset(&opie2, 0, sizeof(struct opie));
return 0;
}
int opieverify FUNCTION((opie, response), struct opie *opie AND char *response)
{
int i, rval = -1;
char *c;
struct opie_otpkey key, fkey, lastkey;
struct opie nopie;
if (!opie || !response)
goto verret;
if (!opie->opie_principal)
#if DEBUG
abort();
#else /* DEBUG */
goto verret;
#endif /* DEBUG */
if (!opieatob8(&lastkey, opie->opie_val))
goto verret;
for (c = opie->opie_seed; *c; c++)
if (!isalnum(*c))
goto verret;
if (opie->opie_n <= 0)
goto verret;
if (c = strchr(response, ':')) {
*(c++) = 0;
{
struct _rtrans *r;
for (r = rtrans; r->name && strcmp(r->name, response); r++);
i = r->type;
}
} else
i = RESPONSE_STANDARD;
switch(i) {
case RESPONSE_STANDARD:
i = 1;
if (opieetob(&key, response) == 1) {
memcpy(&fkey, &key, sizeof(struct opie_otpkey));
opiehash(&fkey, MDX);
i = memcmp(&fkey, &lastkey, sizeof(struct opie_otpkey));
}
if (i && opieatob8(&key, response)) {
memcpy(&fkey, &key, sizeof(struct opie_otpkey));
opiehash(&fkey, MDX);
i = memcmp(&fkey, &lastkey, sizeof(struct opie_otpkey));
}
break;
case RESPONSE_WORD:
i = 1;
if (opieetob(&key, c) == 1) {
memcpy(&fkey, &key, sizeof(struct opie_otpkey));
opiehash(&fkey, MDX);
i = memcmp(&fkey, &lastkey, sizeof(struct opie_otpkey));
}
break;
case RESPONSE_HEX:
i = 1;
if (opieatob8(&key, c)) {
memcpy(&fkey, &key, sizeof(struct opie_otpkey));
opiehash(&fkey, MDX);
i = memcmp(&fkey, &lastkey, sizeof(struct opie_otpkey));
}
break;
case RESPONSE_INIT_HEX:
case RESPONSE_INIT_WORD:
{
char *c2;
if (!(c2 = strchr(c, ':')))
goto verret;
*(c2++) = 0;
if (i == RESPONSE_INIT_HEX) {
if (!opieatob8(&key, c))
goto verret;
} else {
if (opieetob(&key, c) != 1)
goto verret;
}
memcpy(&fkey, &key, sizeof(struct opie_otpkey));
opiehash(&fkey, MDX);
if (memcmp(&fkey, &lastkey, sizeof(struct opie_otpkey)))
goto verret;
if (changed(opie))
goto verret;
opie->opie_n--;
if (!opiebtoa8(opie->opie_val, &key))
goto verret;
if (__opiewriterec(opie))
goto verret;
if (!(c2 = strchr(c = c2, ':')))
goto verret;
*(c2++) = 0;
{
int j, k;
if (__opieparsechallenge(c, &j, &(opie->opie_n), &(opie->opie_seed), &k) || (j != MDX) || k)
goto verret;
}
if (i == RESPONSE_INIT_HEX) {
if (!opieatob8(&key, c2))
goto verret;
} else {
if (opieetob(&key, c2) != 1)
goto verret;
}
}
goto verwrt;
case RESPONSE_UNKNOWN:
rval = 1;
goto verret;
default:
rval = -1;
goto verret;
}
if (i) {
rval = 1;
goto verret;
}
if (changed(opie))
goto verret;
opie->opie_n--;
verwrt:
if (!opiebtoa8(opie->opie_val, &key))
goto verret;
rval = __opiewriterec(opie);
verret:
opieunlock();
memset(opie, 0, sizeof(struct opie));
return rval;
}

29
contrib/opie/libopie/version.c
View File

@ -1,29 +0,0 @@
/* version.c: The opieversion() library function.
%%% portions-copyright-cmetz-96
Portions of this software are Copyright 1996-1999 by Craig Metz, All Rights
Reserved. The Inner Net License Version 2 applies to these portions of
the software.
You should have received a copy of the license with this software. If
you didn't get a copy, you may request one from <license@inner.net>.
Portions of this software are Copyright 1995 by Randall Atkinson and Dan
McDonald, All Rights Reserved. All Rights under this copyright are assigned
to the U.S. Naval Research Laboratory (NRL). The NRL Copyright Notice and
License Agreement applies to this software.
History:
Modified by cmetz for OPIE 2.2. Use FUNCTION declaration et al.
Created at NRL for OPIE 2.2 from opiesubr.c.
*/
#include <stdio.h>
#include <stdlib.h>
#include "opie_cfg.h"
#include "opie.h"
VOIDRET opieversion FUNCTION_NOARGS
{
printf("\nOPIE %s (%s)\n\n", VERSION, DATE);
exit(0);
}

89
contrib/opie/libopie/writerec.c
View File

@ -1,89 +0,0 @@
/* writerec.c: The __opiewriterec() library function.
%%% copyright-cmetz-96
This software is Copyright 1996-2001 by Craig Metz, All Rights Reserved.
The Inner Net License Version 3 applies to this software.
You should have received a copy of the license with this software. If
you didn't get a copy, you may request one from <license@inner.net>.
History:
Modified by cmetz for OPIE 2.4. Check that seed and sequence number are
valid.
Modified by cmetz for OPIE 2.31. Removed active attack protection
support. Fixed passwd bug.
Created by cmetz for OPIE 2.3 from passwd.c.
$FreeBSD$
*/
#include "opie_cfg.h"
#include <stdio.h>
#if TM_IN_SYS_TIME
#include <sys/time.h>
#else /* TM_IN_SYS_TIME */
#include <time.h>
#endif /* TM_IN_SYS_TIME */
#include <sys/types.h>
#if HAVE_UNISTD_H
#include <unistd.h>
#endif /* HAVE_UNISTD_H */
#if HAVE_STRING_H
#include <string.h>
#endif /* HAVE_STRING_H */
#if HAVE_STDLIB_H
#include <stdlib.h>
#endif /* HAVE_STDLIB_H */
#include <ctype.h>
#include "opie.h"
char *__opienone = "****************";
int __opiewriterec FUNCTION((opie), struct opie *opie)
{
char buf[17], buf2[64];
time_t now;
FILE *f, *f2 = NULL;
int i = 0;
char *c;
time(&now);
if (strftime(buf2, sizeof(buf2), " %b %d,%Y %T", localtime(&now)) < 1)
return -1;
if (!(opie->opie_flags & __OPIE_FLAGS_READ)) {
struct opie opie2;
i = opielookup(&opie2, opie->opie_principal);
opie->opie_flags = opie2.opie_flags;
opie->opie_recstart = opie2.opie_recstart;
}
for (c = opie->opie_seed; *c; c++)
if (!isalnum(*c))
return -1;
if ((opie->opie_n < 0) || (opie->opie_n > 9999))
return -1;
switch(i) {
case 0:
if (!(f = __opieopen(KEY_FILE, 1, 0600)))
return -1;
if (fseek(f, opie->opie_recstart, SEEK_SET))
return -1;
break;
case 1:
if (!(f = __opieopen(KEY_FILE, 2, 0600)))
return -1;
break;
default:
return -1;
}
if (fprintf(f, "%s %04d %-16s %s %-21s\n", opie->opie_principal, opie->opie_n, opie->opie_seed, opie->opie_val ? opie->opie_val : __opienone, buf2) < 1)
return -1;
fclose(f);
return 0;
}

342
contrib/opie/opie.4
View File

@ -1,342 +0,0 @@
.\" opie.4: Overview of the OPIE software.
.\"
.\" %%% portions-copyright-cmetz-96
.\" Portions of this software are Copyright 1996-1999 by Craig Metz, All Rights
.\" Reserved. The Inner Net License Version 2 applies to these portions of
.\" the software.
.\" You should have received a copy of the license with this software. If
.\" you didn't get a copy, you may request one from <license@inner.net>.
.\"
.\" Portions of this software are Copyright 1995 by Randall Atkinson and Dan
.\" McDonald, All Rights Reserved. All Rights under this copyright are assigned
.\" to the U.S. Naval Research Laboratory (NRL). The NRL Copyright Notice and
.\" License Agreement applies to this software.
.\"
.\" History:
.\"
.\" Modified by cmetz for OPIE 2.4. Spelling fixes.
.\" Modified by cmetz for OPIE 2.2. Removed MJR DES documentation. Removed
.\" references to the old square brackets challenge delimiters.
.\" Modified at NRL for OPIE 2.01. Updated UNIX trademark credit.
.\" Definition of "seed" written by Neil Haller of Bellcore
.\" Written at NRL for OPIE 2.0.
.\"
.\" $FreeBSD$
.\"
.TH OPIE 4 "January 10, 1995"
.SH NAME
.B OPIE \- One-time Passwords In Everything
.SH DEPRECATION NOTICE
OPIE is deprecated, and may not be available in FreeBSD 14.0 and later.
.SH DESCRIPTION
.LP
OPIE is a package derived from the Bellcore S/Key Version 1 distribution
that helps to secure a system against replay attacks (see below). It does so
using a secure hash function and a challenge/response system. It provides
replacements for the
.IR login (1),
.IR su (1),
and
.IR ftpd (8)
programs that use OPIE
authentication as well as demonstrate how a program might be adapted to use
OPIE authentication. OPIE was developed at and for the United States Naval
Research Laboratory (NRL). OPIE is derived in part from Berkeley Standard
Distribution UNIX and the Bellcore S/Key Version 1 distribution.
.LP
From the average user's perspective, OPIE is a nuisance that prevents their
account from being broken into. The first time a user wishes to use OPIE,
(s)he needs to use the
.IR opiepasswd (1)
command to put an entry for them into
the OPIE database. The user can then use OPIE to authenticate themselves
with any program that supports it. If no other clients are being used,
this means they can use OPIE to
.I telnet,
.I rlogin,
or
.I ftp
into the system,
log in on a terminal port (like a modem), or switch to another user's
account. When they would normally be asked for a password, they will get
a challenge from the server. They then need to copy that challenge (or
re-type, if they don't have the ability to copy and paste through something
like a window system) to their calculator program, enter their password,
then copy (or re-type) the response from the calculator as their password.
While this will seem cumbersome at first, with some practice, it becomes
easy.
.SH TERMS
.TP
.I user name
The name that the system knows you as. For example, "jdoe".
.TP
.I secret password
A password, usually selected by the user, that is needed to gain access to the
system. For example, "SEc1_rt".
.TP
.I challenge
A packet of information output by a system when it wishes to authenticate a
user. In OPIE, this is a three-item group consisting of a hash identifier,
a sequence number, and a seed. This
information is needed by the OPIE calculator to generate a proper response.
For example, "otp-md5 95 wi14321".
.TP
.I response
A packet of information generated from a challenge that is used by a system to
authenticate a user. In OPIE, this is a group of six words that is generated by
the calculator given the challenge and the secret password. For example,
"PUP SOFT ROSE BIAS FLAG END".
.TP
.I seed
A piece of information that is used in conjunction with the secret password
and sequence number to compute the response. Its purpose is to allow the same
secret password to be used for multiple sequences, by changing the seed, or
for authentication to multiple machines by using different seeds.
.TP
.I sequence number
A counter used to keep track of key iterations. In OPIE, each time a successful
response is received by the system, the sequence number is decremented. For
example, "95".
.TP
.I hash identifier
A piece of text that identifies the actual algorithm that needs to be used to
generate a proper response. In OPIE, the only two valid hash identifiers are
"otp-md4", which selects MD4 hashing, and "otp-md5", which selects MD5.
.SH REPLAY ATTACKS
When you use a network terminal program like
.IR telnet (1)
or even use a modem to log into a
computer system, you need a user name and a secret password. Anyone who can
provide those to the system is recognized as you because, in theory, only you
would have your secret password. Unfortunately, it is now easy to listen in
on many computer communications media. From modem communication to many
networks, your password is not usually safe over remote links. If a
cracker can listen in when you send your password, (s)he then has a copy
of your password that can be used at any time in the future to access your
account. On more than one occasion, major sites on the Internet have been
broken into exactly this way.
.LP
All an attacker has to
do is capture your password once and then replay it to the server when it's
asked for. Even if the password is communicated between machines in encoded
or encrypted form, as long as a cracker can get in by simply replaying
a previously captured communication, you are at risk. Up until very recently,
Novell NetWare was vulnerable this way. A cracker couldn't find out what your
password actually is, but (s)he didn't need to -- all that was necessary to
get into your account was to capture the encrypted password and send that
back to the server when asked for it.
.SH ONE-TIME PASSWORDS
One solution to the problem of replay attacks
is to keep changing the way that a password is being encoded so that what is
sent over the link to another system can only be used once. If you can do that,
then a cracker can replay it as many times as (s)he wants -- it's just not
going to get them anywhere. It's important, however, to make sure you encode
the password in such a way that the cracker can't use the encoded version to
figure out what the password is or what a future encoded password will be.
Otherwise, while still an improvement over no encoding or a fixed encoding,
you can still be broken into.
.SH THE S/KEY ALGORITHM
A solution to this whole problem was invented by Lamport in 1981. This
technique was implemented by Haller, Karn, and Walden at Bellcore. They
created a free software package called "S/Key" that used an algorithm
called a cryptographic checksum. A cryptographic checksum is a strong one-way
function such that, knowing the result of such a function, an attacker still
cannot feasibly determine the input. Further, unlike cyclic redundancy
checksums (CRCs), cryptographic checksums have few inputs that result in the
same output.
.LP
In S/Key, what changes is the number of
times the password is run through the secure hash. The password is run through
the secure hash once, then the output of the hash is run through the secure
hash again, that output is run through the secure hash again, and so on until
the number of times the password has been run through the secure hash is equal
to the desired sequence number. This is much slower than just, say, putting
the sequence number in before the password and running that through the secure
hash once, but it gains you one significant benefit. The server machine you
are trying to connect to has to have some way to determine whether the output
of that whole mess is right. If it stores it either without any encoding or
with a normal encoding, a cracker could still get at your password. But if it
stores it with a secure hash, then how does it account for the response
changing every time because the sequence number is changing? Also what if you
can never get to the machine any way that can't be listened in on? How do you
change your password without sending it over the link?
.LP
The clever solution
devised by Lamport is to keep in mind that the sequence number is
always decrementing by one and that, in the S/Key system, simply by running any
response with a sequence number N through the secure hash, you can get the
response with a sequence number N+1, but you can't go the other way. At any
given time, call the sequence number of the last valid response that the
system got N+1 and the sequence number of the response you are giving it N.
If the password that generated the response for N is the same as the one for
N+1, then you should be able to run the response for N through the secure hash
one more time, for a total of N+1 times, and get the same response as you got
back for N+1. Once you compare the two and find that they are the same, you
subtract one from N so that, now, the key for N that you just verified becomes
the new key for N+1 that you can store away to use the next time you need to
verify a key. This also means that if you need to change your password but
don't have a secure way to access your machine, all the system really needs to
have to verify your password is a valid response for one more than the sequence
number you want to start with.
.LP
Just for good measure, each side of
all of this uses a seed in conjunction with your password when it actually
generates and verifies the responses. This helps to jumble things up a little
bit more, just in case. Otherwise, someone with a lot of time and disk space
on their hands could generate all the responses for a lot of frequent passwords
and defeat the system.
.LP
This is not, by any means, the best explanation of how the S/Key algorithm
works or some of the more minor details. For that, you should go to some of
the papers now published on the topic. It is simply a quick-and-dirty
introduction to what's going on under the hood.
.SH OPIE COMPONENTS
The OPIE distribution has been incorporated into three standard client
programs:
.IR login (1),
.IR su (1),
and
.IR ftpd (8),
.LP
There are also three programs in the OPIE distribution that are specific to
the OPIE system:
.IR opiepasswd (1),
which allows a user to set and change their
OPIE password,
.IR opieinfo (1),
which allows a user to find out what their current
sequence number and seed are, and
.IR opiekey(1),
which is an OPIE key calculator.
.SH ADDING OPIE TO OTHER PROGRAMS
Adding OPIE authentication to programs other than the ones included as clients
in the OPIE distribution isn't very difficult. First, you will need to make
sure that the program includes <stdio.h> somewhere. Then, below the other
includes such as <stdio.h>, but before variable declarations, you need to
include <opie.h>. You need to add a variable of type "struct opie" to your
program, you need to make sure that the buffer that you use to get a password
from the user is big enough to hold OPIE_RESPONSE_MAX+1 characters, and you
need to have a buffer in which to store the challenge string that is big enough
to hold OPIE_CHALLENGE_MAX+1 characters.
.LP
When you are ready to output the challenge string and know the user's name,
you would use a call to opiechallenge. Later, to verify the response received,
you would use a call to opieverify. For example:
.sp 0
.sp 0
#include <stdio.h>
.sp 0
.
.sp 0
.
.sp 0
#include <opie.h>
.sp 0
.
.sp 0
.
.sp 0
char *user_name;
.sp 0
/* Always remember the trailing null! */
.sp 0
char password[OPIE_RESPONSE_MAX+1];
.sp 0
.
.sp 0
.
.sp 0
struct opie opiedata;
.sp 0
char opieprompt[OPIE_CHALLENGE_MAX+1];
.sp 0
.
.sp 0
.
.sp 0
opiechallenge(&opiedata, user_name, opieprompt);
.sp 0
.
.sp 0
.
.sp 0
if (opieverify(&opiedata, password)) {
.sp 0
printf("Login incorrect");
.sp 0
.SH TERMINAL SECURITY AND OPIE
When using OPIE, you need to be careful not to allow your password to be
communicated over an insecure channel where someone might be able to listen
in and capture it. OPIE can protect you against people who might get your
password from snooping on the line, but only if you make sure that the password
itself never gets sent over the line. The important thing is to always run the
OPIE calculator on whichever machine you are actually using - never on a machine
you are connected to by network or by dialup.
.LP
You need to be careful about the
X Window System, because it changes things quite a bit. For instance, if you
run an xterm (or your favorite equivalent) on another machine and display it
on your machine, you should not run an OPIE calculator in that window. When you
type in your secret password, it still gets transmitted over the network to go
to the machine the xterm is running on. People with machines such as
X terminals that can only run the calculator over the network are in an
especially precarious position because they really have no choice. Also, with
the X Window System, as with some other window system (NeWS as an example),
it is sometimes possible for people to read your keystrokes and capture your
password even if you are running the OPIE calculator on your local machine.
You should always use the best security mechanism available on your system to
protect your X server, be it XDM-AUTHORIZATION-1, XDM-MAGIC-COOKIE-1, or host
access control. *Never* just allow any machine to connect to your server
because, by doing so, you are allowing any machine to read any of your windows
or your keystrokes without you knowing it.
.SH SEE ALSO
.BR ftpd (8)
.BR login (1),
.BR opie (4),
.BR opiekeys (5),
.BR opieaccess (5),
.BR opiekey (1),
.BR opieinfo (1),
.BR opiepasswd (1),
.sp
Lamport, L. "Password Authentication with Insecure Communication",
Communications of the ACM 24.11 (November 1981), pp. 770-772.
.sp
Haller, N. "The S/KEY One-Time Password System", Proceedings of the ISOC
Symposium on Network and Distributed System Security, February 1994,
San Diego, CA.
.sp
Haller, N. and Atkinson, R, "On Internet Authentication", RFC-1704,
DDN Network Information Center, October 1994.
.sp
Rivest, R. "The MD5 Message Digest Algorithm", RFC-1321,
DDN Network Information Center, April 1992.
.sp
Rivest, R. "The MD4 Message Digest Algorithm", RFC-1320,
DDN Network Information Center, April 1992.
.SH AUTHOR
Bellcore's S/Key was written by Phil Karn, Neil M. Haller, and John S. Walden
of Bellcore. OPIE was created at NRL by Randall Atkinson, Dan McDonald, and
Craig Metz.
S/Key is a trademark of Bell Communications Research (Bellcore).
UNIX is a trademark of X/Open.
.SH CONTACT
OPIE is discussed on the Bellcore "S/Key Users" mailing list. To join,
send an email request to:
.sp
skey-users-request@thumper.bellcore.com

179
contrib/opie/opie.h
View File

@ -1,179 +0,0 @@
/* opie.h: Data structures and values for the OPIE authentication
system that a program might need.
%%% portions-copyright-cmetz-96
Portions of this software are Copyright 1996-1999 by Craig Metz, All Rights
Reserved. The Inner Net License Version 2 applies to these portions of
the software.
You should have received a copy of the license with this software. If
you didn't get a copy, you may request one from <license@inner.net>.
Portions of this software are Copyright 1995 by Randall Atkinson and Dan
McDonald, All Rights Reserved. All Rights under this copyright are assigned
to the U.S. Naval Research Laboratory (NRL). The NRL Copyright Notice and
License Agreement applies to this software.
History:
Modified by cmetz for OPIE 2.4. Added sequence number limits. Added
struct opie_otpkey and made many functions use it. Added
opiestrncpy(). Include header with libmissing prototypes.
Modified by cmetz for OPIE 2.32. Added symbolic flag names for
opiepasswd(). Added __opieparsechallenge() prototype.
Modified by cmetz for OPIE 2.31. Removed active attack protection.
Modified by cmetz for OPIE 2.3. Renamed PTR to VOIDPTR. Added
re-init key and extension file fields to struct opie. Added
opie_ prefix on struct opie members. Added opie_flags field
and definitions. Added more prototypes. Changed opiehash()
prototype.
Modified by cmetz for OPIE 2.22. Define __P correctly if this file
is included in a third-party program.
Modified by cmetz for OPIE 2.2. Re-did prototypes. Added FUNCTION
definition et al. Multiple-include protection. Added struct
utsname fake. Got rid of gethostname() cruft. Moved UINT4
here. Provide for *seek whence values. Move MDx context here
and unify. Re-did prototypes.
Modified at NRL for OPIE 2.0.
Written at Bellcore for the S/Key Version 1 software distribution
(skey.h).
$FreeBSD$
*/
#ifndef _OPIE_H
#define _OPIE_H 1
struct opie {
int opie_flags;
char opie_buf[256];
char *opie_principal;
int opie_n;
char *opie_seed;
char *opie_val;
long opie_recstart;
};
#define __OPIE_FLAGS_RW 1
#define __OPIE_FLAGS_READ 2
/* Minimum length of a secret password */
#ifndef OPIE_SECRET_MIN
#define OPIE_SECRET_MIN 10
#endif /* OPIE_SECRET_MIN */
/* Maximum length of a secret password */
#define OPIE_SECRET_MAX 127
/* Minimum length of a seed */
#define OPIE_SEED_MIN 5
/* Maximum length of a seed */
#define OPIE_SEED_MAX 16
/* Max length of hash algorithm name (md4/md5/sha1) */
#define OPIE_HASHNAME_MAX 4
/* Maximum length of a challenge (otp-md? 9999 seed ext) */
#define OPIE_CHALLENGE_MAX (4+OPIE_HASHNAME_MAX+1+4+1+OPIE_SEED_MAX+1+3)
/* Maximum length of a response that we allow */
#define OPIE_RESPONSE_MAX (9+1+19+1+9+OPIE_SEED_MAX+1+19+1+19+1+19)
/* Maximum length of a principal (read: user name) */
#define OPIE_PRINCIPAL_MAX 32
/* Maximum sequence number */
#ifndef OPIE_SEQUENCE_MAX
#define OPIE_SEQUENCE_MAX 9999
#endif /* OPIE_SEQUENCE_MAX */
/* Restricted sequence number */
#ifndef OPIE_SEQUENCE_RESTRICT
#define OPIE_SEQUENCE_RESTRICT 9
#endif /* OPIE_SEQUENCE_RESTRICT */
#define UINT4 u_int32_t
struct opie_otpkey {
UINT4 words[2];
};
#ifndef SEEK_SET
#define SEEK_SET 0
#endif /* SEEK_SET */
#ifndef SEEK_END
#define SEEK_END 2
#endif /* SEEK_END */
__BEGIN_DECLS
int opieaccessfile __P((char *));
int rdnets __P((long));
int isaddr __P((register char *));
int opiealways __P((char *));
char *opieatob8 __P((struct opie_otpkey *, char *));
void opiebackspace __P((char *));
char *opiebtoa8 __P((char *, struct opie_otpkey *));
char *opiebtoe __P((char *, struct opie_otpkey *));
char *opiebtoh __P((char *, struct opie_otpkey *));
int opieetob __P((struct opie_otpkey *, char *));
int opiechallenge __P((struct opie *,char *,char *));
int opiegenerator __P((char *,char *,char *));
int opiegetsequence __P((struct opie *));
void opiehash __P((struct opie_otpkey *, unsigned));
int opiehtoi __P((register char));
int opiekeycrunch __P((int, struct opie_otpkey *, char *, char *));
int opielock __P((char *));
int opieunlock __P((void));
void opieunlockaeh __P((void));
void opiedisableaeh __P((void));
int opielookup __P((struct opie *,char *));
int opiepasscheck __P((char *));
int opienewseed __P((char *));
void opierandomchallenge __P((char *));
char * opieskipspace __P((register char *));
void opiestripcrlf __P((char *));
int opieverify __P((struct opie *,char *));
int opiepasswd __P((struct opie *, int, char *, int, char *, char *));
char *opiereadpass __P((char *, int, int));
int opielogin __P((char *line, char *name, char *host));
const char *opie_get_algorithm __P((void));
int opie_haskey __P((char *username));
char *opie_keyinfo __P((char *));
int opie_passverify __P((char *username, char *passwd));
int opieinsecure __P((void));
void opieversion __P((void));
__END_DECLS
#if _OPIE
#define VOIDPTR void *
#define VOIDRET void
#define NOARGS void
#define FUNCTION(arglist, args) (args)
#define AND ,
#define FUNCTION_NOARGS ()
__BEGIN_DECLS
struct utmp;
int __opiegetutmpentry __P((char *, struct utmp *));
#ifdef EOF
FILE *__opieopen __P((char *, int, int));
#endif /* EOF */
int __opiereadrec __P((struct opie *));
int __opiewriterec __P((struct opie *));
int __opieparsechallenge __P((char *buffer, int *algorithm, int *sequence, char **seed, int *exts));
VOIDRET opiehashlen __P((int algorithm, VOIDPTR in, struct opie_otpkey *out, int n));
__END_DECLS
#define opiestrncpy(dst, src, n) \
do { \
strncpy(dst, src, n-1); \
dst[n-1] = 0; \
} while(0)
/* #include "missing.h" */
#endif /* _OPIE */
#define OPIEPASSWD_CONSOLE 1
#define OPIEPASSWD_FORCE 2
#endif /* _OPIE_H */

184
contrib/opie/opie_cfg.h
View File

@ -1,184 +0,0 @@
/* opie_cfg.h: Various configuration-type pieces of information for OPIE.
%%% portions-copyright-cmetz-96
Portions of this software are Copyright 1996-1999 by Craig Metz, All Rights
Reserved. The Inner Net License Version 2 applies to these portions of
the software.
You should have received a copy of the license with this software. If
you didn't get a copy, you may request one from <license@inner.net>.
Portions of this software are Copyright 1995 by Randall Atkinson and Dan
McDonald, All Rights Reserved. All Rights under this copyright are assigned
to the U.S. Naval Research Laboratory (NRL). The NRL Copyright Notice and
License Agreement applies to this software.
History:
Modified by cmetz for OPIE 2.4. Removed NBBY definition.
Modified by cmetz for OPIE 2.32. Include <sys/types.h> before
<dirent.h> to make *BSD happy.
Modified by cmetz for OPIE 2.31. Added 4.4BSD-Lite pathnames.h
definitions from ftpd. Added struct spwd definition and
HAVE_SHADOW logic for SunOS C2 shadow password support.
Moved user locking config to configure script. Removed
options.h.
Modified by cmetz for OPIE 2.3. Splatted with opie_auto.h.
Obseleted many symbols. Changed OPIE_PASS_{MIN,MAX} to
OPIE_SECRET_{MIN,MAX}. Fixed SHADOW+UTMP definitions.
Removed a lot of symbols.
Modified by cmetz for OPIE 2.2. Got rid of ANSIPROTO and ARGS.
Got rid of TRUE and FALSE definitions. Moved UINT4 to
opie.h and removed UINT2.
Modified at NRL for OPIE 2.1. Fixed sigprocmask declaration.
Gutted for autoconf. Split up for autoconf.
Written at NRL for OPIE 2.0.
History of opie_auto.h:
Modified by cmetz for OPIE 2.22. Support the Solaris TTYPROMPT drain
bamage on all systems -- it doesn't hurt others, and it's
not something Autoconf can check for yet.
Modified by cmetz for OPIE 2.2. Don't replace sigprocmask by ifdef.
Added configure check for LS_COMMAND. Added setreuid/setgid
band-aids.
Modified at NRL for OPIE 2.2. Require /etc/shadow for Linux to use
shadow passwords.
Modified at NRL for OPIE 2.11. Removed version defines.
Modified at NRL for OPIE 2.1. Fixed sigprocmask declaration.
Gutted for autoconf. Split up for autoconf.
Written at NRL for OPIE 2.0.
$FreeBSD$
*/
#ifndef _OPIE_CFG_H
#define _OPIE_CFG_H 1
#define VERSION "2.4"
#define DATE "Friday, January 19, 2001"
#ifndef unix
#define unix 1
#endif /* unix */
#include "config.h"
/* System characteristics */
#if HAVE_GETUTXLINE && HAVE_UTMPX_H
#define DOUTMPX 1
#else /* HAVE_GETUTXLINE && HAVE_UTMPX_H */
#define DOUTMPX 0
#endif /* HAVE_GETUTXLINE && HAVE_UTMPX_H */
#include <sys/types.h>
/* Adapted from the Autoconf hypertext info pages */
#if HAVE_DIRENT_H
#include <dirent.h>
#else /* HAVE_DIRENT_H */
#define dirent direct
#if HAVE_SYS_NDIR_H
#include <sys/ndir.h>
#endif /* HAVE_SYS_NDIR_H */
#if HAVE_SYS_DIR_H
#include <sys/dir.h>
#endif /* HAVE_SYS_DIR_H */
#if HAVE_NDIR_H
#include <ndir.h>
#endif /* HAVE_NDIR_H */
#endif /* HAVE_DIRENT_H */
#ifndef MAIL_DIR
#ifdef PATH_MAIL
#define MAIL_DIR PATH_MAIL
#else /* PATH_MAIL */
#ifdef _PATH_MAIL
#define MAIL_DIR _PATH_MAIL
#else /* _PATH_MAIL */
#ifdef _PATH_MAILDIR
#define MAIL_DIR _PATH_MAILDIR
#else /* _PATH_MAILDIR */
#define MAIL_DIR "/usr/spool/mail"
#endif /* _PATH_MAILDIR */
#endif /* _PATH_MAIL */
#endif /* PATH_MAIL */
#endif /* MAIL_DIR */
#if HAVE_SHADOW_H && HAVE_GETSPNAM && HAVE_ENDSPENT
#if defined(linux) && !HAVE_ETC_SHADOW
#define HAVE_SHADOW 0
#else /* defined(linux) && !HAVE_ETC_SHADOW */
#define HAVE_SHADOW 1
#endif /* defined(linux) && !HAVE_ETC_SHADOW */
#endif /* HAVE_SHADOW_H && HAVE_GETSPNAM && HAVE_ENDSPENT */
#if HAVE_SUNOS_C2_SHADOW && !HAVE_SHADOW
#undef HAVE_SHADOW
#define HAVE_SHADOW 1
#endif /* HAVE_SUNOS_C2_SHADOW && !HAVE_SHADOW */
/* If the user didn't specify, default to MD5 */
#ifndef MDX
#define MDX 5
#endif /* MDX */
#ifndef _PATH_BSHELL
#define _PATH_BSHELL "/bin/sh"
#endif
#ifndef _PATH_DEVNULL
#define _PATH_DEVNULL "/dev/null"
#endif
#ifndef _PATH_FTPUSERS
#define _PATH_FTPUSERS "/etc/ftpusers"
#endif
#ifndef _PATH_FTPLOGINMESG
#define _PATH_FTPLOGINMESG "/etc/ftpmotd"
#endif /* _PATH_FTPLOGINMESG */
#ifndef _PATH_FTPWELCOME
#define _PATH_FTPWELCOME "/etc/ftpwelcome"
#endif /* _PATH_FTPWELCOME */
#ifndef _PATH_NOLOGIN
#define _PATH_NOLOGIN "/etc/nologin"
#endif /* _PATH_NOLOGIN */
#ifndef TTYGRPNAME
#define TTYGRPNAME "tty" /* name of group to own ttys */
#endif
#ifndef QUIET_LOGIN_FILE
#define QUIET_LOGIN_FILE ".hushlogin"
#endif
#ifndef OPIE_ALWAYS_FILE
#define OPIE_ALWAYS_FILE ".opiealways"
#endif
#ifndef OPIE_LOCK_TIMEOUT
#define OPIE_LOCK_TIMEOUT (30*60)
#endif
#ifndef MOTD_FILE
#define MOTD_FILE "/etc/motd"
#endif
#ifndef LOGIN_PATH
#define LOGIN_PATH "/usr/ucb:/bin:/usr/bin"
#endif /* LOGIN_PATH */
#ifndef POINTER
#define POINTER unsigned char *
#endif /* POINTER */
#ifdef HAVE_SUNOS_C2_SHADOW
struct spwd {
char *sp_pwdp;
};
#endif /* HAVE_SUNOS_C2_SHADOW */
#define _OPIE 1
#endif /* _OPIE_CFG_H */

92
contrib/opie/opieaccess.5
View File

@ -1,92 +0,0 @@
.\" opieaccess.5: Manual page describing the /etc/opieaccess file.
.\"
.\" Portions of this software are Copyright 1995 by Randall Atkinson and Dan
.\" McDonald, All Rights Reserved. All Rights under this copyright are assigned
.\" to the U.S. Naval Research Laboratory (NRL). The NRL Copyright Notice and
.\" License Agreement applies to this software.
.\"
.\" History:
.\"
.\" Modified by cmetz for OPIE 2.4. Fixed "0PIE" typo.
.\" Written at NRL for OPIE 2.0.
.\"
.ll 6i
.pl 10.5i
.\" @(#)opieaccess.5 2.0 (NRL) 1/10/95
.\" $FreeBSD$
.\"
.lt 6.0i
.TH OPIEACCESS 5 "January 10, 1995"
.AT 3
.SH NAME
/etc/opieaccess \- OPIE database of trusted networks
.SH DEPRECATION NOTICE
OPIE is deprecated, and may not be available in FreeBSD 14.0 and later.
.SH DESCRIPTION
The
.I opieaccess
file contains a list of networks that are considered trusted by the system as
far as security against passive attacks is concerned. Users from networks so
trusted will be able to log in using OPIE responses, but not be required to
do so, while users from networks that are not trusted will always be required
to use OPIE responses (the default behavior). This trust allows a site to
have a more gentle migration to OPIE by allowing it to be non-mandatory for
"inside" networks while allowing users to choose whether they with to use OPIE
to protect their passwords or not.
.sp
The entire notion of trust implemented in the
.I opieaccess
file is a major security hole because it opens your system back up to the same
passive attacks that the OPIE system is designed to protect you against. The
.I opieaccess
support in this version of OPIE exists solely because we believe that it is
better to have it so that users who don't want their accounts broken into can
use OPIE than to have them prevented from doing so by users who don't want
to use OPIE. In any environment, it should be considered a transition tool and
not a permanent fixture. When it is not being used as a transition tool, a
version of OPIE that has been built without support for the
.I opieaccess
file should be built to prevent the possibility of an attacker using this file
as a means to circumvent the OPIE software.
.sp
The
.I opieaccess
file consists of lines containing three fields separated by spaces (tabs are
properly interpreted, but spaces should be used instead) as follows:
.PP
.nf
.ta \w' 'u
Field Description
action "permit" or "deny" non-OPIE logins
address Address of the network to match
mask Mask of the network to match
.fi
Subnets can be controlled by using the appropriate address and mask. Individual
hosts can be controlled by using the appropriate address and a mask of
255.255.255.255. If no rules are matched, the default is to deny non-OPIE
logins.
.SH SEE ALSO
.BR ftpd (8)
.BR login (1),
.BR opie (4),
.BR opiekeys (5),
.BR opiepasswd (1),
.BR opieinfo (1),
.BR su (1),
.SH AUTHOR
Bellcore's S/Key was written by Phil Karn, Neil M. Haller, and John S. Walden
of Bellcore. OPIE was created at NRL by Randall Atkinson, Dan McDonald, and
Craig Metz.
S/Key is a trademark of Bell Communications Research (Bellcore).
.SH CONTACT
OPIE is discussed on the Bellcore "S/Key Users" mailing list. To join,
send an email request to:
.sp
skey-users-request@thumper.bellcore.com

386
contrib/opie/opieauto.c
View File

@ -1,386 +0,0 @@
/* opieauto.c: The opieauto program.
%%% copyright-cmetz-96
This software is Copyright 1996-2001 by Craig Metz, All Rights Reserved.
The Inner Net License Version 3 applies to this software.
You should have received a copy of the license with this software. If
you didn't get a copy, you may request one from <license@inner.net>.
History:
Created by cmetz for OPIE 2.4 based on previously released
test code. Use opiestrncpy().
*/
#include "opie_cfg.h"
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/un.h>
#if HAVE_SYS_TIME_H
#include <sys/time.h>
#endif /* HAVE_SYS_TIME_H */
#include <stdio.h>
#include <errno.h>
#if HAVE_STRING_H
#include <string.h>
#endif /* HAVE_STRING_H */
#include <getopt.h>
#if HAVE_STDLIB_H
#include <stdlib.h>
#endif /* HAVE_STDLIB_H */
#if HAVE_UNISTD_H
#include <unistd.h>
#endif /* HAVE_UNISTD_H */
#include <sys/stat.h>
#include "opie.h"
#ifndef max
#define max(x, y) (((x) > (y)) ? (x) : (y))
#endif /* max */
int window = 10;
char *myname = NULL;
uid_t myuid = 0;
#define MAXCLIENTS 2
int parents, s[MAXCLIENTS + 1];
char cmd[1+1+1+1+4+1+OPIE_SEED_MAX+1+4+1+4+1+4+1+4+1];
struct cachedotp {
struct cachedotp *next;
int algorithm, base, current;
struct opie_otpkey basekey;
char seed[OPIE_SEED_MAX+1];
};
struct cachedotp *head = NULL;
char *algids[] = { NULL, NULL, NULL, "sha1", "md4", "md5" };
void baile(x) {
fprintf(stderr, "%s: %s: %s(%d)\n", myname, x, strerror(errno), errno);
exit(1);
}
void bail(x) {
fprintf(stderr, "%s: %s\n", myname, x);
exit(1);
}
void zerocache(void)
{
struct cachedotp *c = head, *c2;
while(c) {
c2 = c->next;
memset(c, 0, sizeof(struct cachedotp));
c = c2;
};
};
int doreq(int fd)
{
int algorithm, sequence, i;
char *seed = NULL, *response = NULL;
if (((cmd[0] != 'S') && (cmd[0] != 's')) || (cmd[1] != '=') || (cmd[2] != ' ')) {
#if DEBUG
fprintf(stderr, "%s: got bogus command: %s\n", myname, cmd);
#endif /* DEBUG */
goto error;
};
{
char *c;
if (((algorithm = strtoul(&cmd[3], &c, 10)) < 3) || (algorithm > 5) || (*c != ' ')) {
#if DEBUG
fprintf(stderr, "%s: got bogus algorithm: %s\n", myname, cmd);
#endif /* DEBUG */
goto error;
};
if (((sequence = strtoul(c + 1, &c, 10)) <= OPIE_SEQUENCE_RESTRICT) || (sequence > OPIE_SEQUENCE_MAX)) {
#if DEBUG
fprintf(stderr, "%s: got bogus sequence: %s\n", myname, cmd);
#endif /* DEBUG */
goto error;
};
if (cmd[0] == 'S') {
if (!(c = strchr(seed = c + 1, ' '))) {
#if DEBUG
fprintf(stderr, "%s: got bogus seed: %s\n", myname, cmd);
#endif /* DEBUG */
goto error;
};
*c = 0;
if (!(c = strchr(response = c + 1, '\n'))) {
#if DEBUG
fprintf(stderr, "%s: got bogus response: %s\n", myname, cmd);
#endif /* DEBUG */
goto error;
};
*c = 0;
} else {
if (!(c = strchr(seed = c + 1, '\n'))) {
#if DEBUG
fprintf(stderr, "%s: got bogus seed: %s\n", myname, cmd);
#endif /* DEBUG */
goto error;
};
*c = 0;
};
};
#if DEBUG
fprintf(stderr, "got cmd=%c, algorithm=%d sequence=%d seed=+%s+ response=+%s+ on fd %d\n", cmd[0], algorithm, sequence, seed, response, fd);
#endif /* DEBUG */
seed = strdup(seed);
if (sequence < 10) {
#if DEBUG
fprintf(stderr, "sequence < 10; can't do it\n");
#endif /* DEBUG */
sprintf(cmd, "%c- %d %d %s\n", cmd[0], algorithm, sequence, seed);
};
{
struct cachedotp **c;
for (c = &head; *c && (strcmp((*c)->seed, seed) || ((*c)->algorithm != algorithm)); c = &((*c)->next));
if (!(*c)) {
if (cmd[0] == 's') {
#if DEBUG
fprintf(stderr, "(seed, algorithm) not found for s command\n");
#endif /* DEBUG */
sprintf(cmd, "s- %d %d %s\n", algorithm, sequence, seed);
goto out;
}
if (!(*c = malloc(sizeof(struct cachedotp))))
baile("malloc");
memset(*c, 0, sizeof(struct cachedotp));
(*c)->algorithm = algorithm;
opiestrncpy((*c)->seed, seed, OPIE_SEED_MAX);
};
if (cmd[0] == 'S') {
(*c)->base = max(sequence - window + 1, OPIE_SEQUENCE_RESTRICT);
(*c)->current = sequence;
if (!opieatob8(&(*c)->basekey, response))
goto error;
sprintf(cmd, "S+ %d %d %s\n", algorithm, sequence, (*c)->seed);
} else {
if (sequence != ((*c)->current - 1)) {
#if DEBUG
fprintf(stderr, "out of sequence: sequence=%d, base=%d, current=%d\n", sequence, (*c)->base, (*c)->current);
#endif /* DEBUG */
sprintf(cmd, "s- %d %d %s\n", algorithm, sequence, (*c)->seed);
goto out;
};
if (sequence < (*c)->base) {
#if DEBUG
fprintf(stderr, "attempt to generate below base: sequence=%d, base=%d, current=%d\n", sequence, (*c)->base, (*c)->current);
#endif /* DEBUG */
sprintf(cmd, "s- %d %d %s\n", algorithm, sequence, (*c)->seed);
goto out;
};
(*c)->current = sequence;
i = sequence - (*c)->base;
{
struct opie_otpkey key;
char buffer[16+1];
key = (*c)->basekey;
while(i--)
opiehash(&key, algorithm);
opiebtoa8(buffer, &key);
sprintf(cmd, "s+ %d %d %s %s\n", algorithm, sequence, (*c)->seed, buffer);
};
};
printf("%c otp-%s %d %s (%d/%d)\n", cmd[0], algids[algorithm], sequence, (*c)->seed, sequence - (*c)->base, window);
fflush(stdout);
if (sequence == (*c)->base) {
struct cachedotp *c2 = *c;
*c = (*c)->next;
memset(c2, 0, sizeof(struct cachedotp));
free(c2);
};
};
out:
write(fd, cmd, i = strlen(cmd));
free(seed);
return 0;
error:
fprintf(stderr, "Invalid command on fd %d\n", fd);
if (seed)
free(seed);
return -1;
}
static void usage()
{
fprintf(stderr, "usage: %s [-v] [-h] [-q] [-n <number of OTPs>]\n", myname);
exit(1);
}
int main(int argc, char **argv)
{
int i;
struct stat st;
char *sockpath;
if (myname = strrchr(argv[0], '/'))
myname++;
else
myname = argv[0];
while((i = getopt(argc, argv, "w:hv")) != EOF) {
switch(i) {
case 'v':
opieversion();
case 'w':
if (!(window = atoi(optarg))) {
fprintf(stderr, "%s: invalid number of OTPs: %s\n", myname, optarg);
exit(1);
};
break;
default:
usage();
}
};
{
uid_t myeuid;
if (!(myuid = getuid()) || !(myeuid = geteuid()) || (myuid != myeuid))
bail("this program must not be run with superuser priveleges or setuid.");
};
if (atexit(zerocache) < 0)
baile("atexit");
{
struct sockaddr_un sun;
memset(&sun, 0, sizeof(struct sockaddr_un));
sun.sun_family = AF_UNIX;
{
char *c;
char *c2 = "/.opieauto";
if (!(c = getenv("HOME")))
bail("getenv(HOME) failed -- no HOME variable?");
if (strlen(c) > (sizeof(sun.sun_path) - strlen(c2) - 1))
bail("your HOME is too long");
strcpy(sun.sun_path, c);
strcat(sun.sun_path, c2);
sockpath = strdup(sun.sun_path);
};
if ((parents = socket(PF_UNIX, SOCK_STREAM, 0)) < 0)
baile("socket");
if (unlink(sockpath) && (errno != ENOENT))
baile("unlink");
if (umask(0177) < 0)
baile("umask");
if (bind(parents, (struct sockaddr *)&sun, sizeof(struct sockaddr_un)))
baile("bind");
if (stat(sockpath, &st) < 0)
baile("stat");
if ((st.st_uid != myuid) || (!S_ISSOCK(st.st_mode)) || ((st.st_mode & 07777) != 0600))
bail("socket permissions and/or ownership were not correctly created.");
if (listen(parents, 1) < 0)
baile("listen");
};
{
fd_set fds, rfds, efds;
int maxfd = parents;
int i, j;
FD_ZERO(&fds);
FD_SET(parents, &fds);
while(1) {
memcpy(&rfds, &fds, sizeof(fd_set));
if (select(maxfd + 1, &rfds, NULL, NULL, NULL) < 0)
baile("select");
for (i = 0; s[i]; i++) {
if (!FD_ISSET(s[i], &rfds))
continue;
if (((j = read(s[i], cmd, sizeof(cmd)-1)) <= 0) || ((cmd[j] = 0) || doreq(s[i]))) {
close(s[i]);
FD_CLR(s[i], &fds);
if (s[i] == maxfd)
maxfd--;
for (j = i; s[j]; s[j] = s[j + 1], j++);
FD_SET(parents, &fds);
i--;
continue;
};
};
if (FD_ISSET(parents, &rfds)) {
for (i = 0; s[i]; i++)
if (i > MAXCLIENTS)
bail("this message never printed");
if (stat(sockpath, &st) < 0)
baile("stat");
if ((st.st_uid != myuid) || (!S_ISSOCK(st.st_mode)) || ((st.st_mode & 07777) != 0600))
bail("socket permissions and/or ownership has been messed with.");
if ((s[i] = accept(parents, NULL, 0)) < 0)
baile("accept");
FD_SET(s[i], &fds);
if (s[i] > maxfd)
maxfd = s[i];
sprintf(cmd, "C+ %d\n", window);
if (write(s[i], cmd, j = strlen(cmd)) != j)
baile("write");
if (++i == MAXCLIENTS)
FD_CLR(parents, &fds);
}
}
}
}

294
contrib/opie/opieftpd.8
View File

@ -1,294 +0,0 @@
.\" opieftpd.8: Manual page describing the FTP daemon.
.\"
.\" %%% portions-copyright-cmetz-98
.\" Portions of this software are Copyright 1998-1999 by Craig Metz, All Rights
.\" Reserved. The Inner Net License Version 2 applies to these portions of
.\" the software.
.\" You should have received a copy of the license with this software. If
.\" you didn't get a copy, you may request one from <license@inner.net>.
.\"
.\"
.\" Portions of this software are Copyright 1995 by Randall Atkinson and Dan
.\" McDonald, All Rights Reserved. All Rights under this copyright are assigned
.\" to the U.S. Naval Research Laboratory (NRL). The NRL Copyright Notice and
.\" License Agreement applies to this software.
.\"
.\" History:
.\"
.\" Modified by cmetz for OPIE 2.4. Document -u option.
.\" Modified at NRL for OPIE 2.0.
.\" Originally from BSD.
.\"
.\" NOTE:
.\"
.\" This manual page uses the BSD >= Net/2 "mandoc" macros and may not
.\" format properly on all systems.
.\"
.\" Copyright (c) 1985, 1988, 1991 The Regents of the University of California.
.\" All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\" 3. All advertising materials mentioning features or use of this software
.\" must display the following acknowledgement:
.\" This product includes software developed by the University of
.\" California, Berkeley and its contributors.
.\" 4. Neither the name of the University nor the names of its contributors
.\" may be used to endorse or promote products derived from this software
.\" without specific prior written permission.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" @(#)opieopieftpd.8 6.9 (Berkeley) 3/16/91
.\"
.TH OPIEFTPD 8 "10 January 1995"
.SH NAME
opieftpd \- File Transfer Protocol server that uses OPIE authentication
.SH SYNOPSIS
.B opieftpd
[\-d] [\-l] [\-t
.I timeout
] [\-T
.I maxtimeout
] [\-u
.I umask
]
.SH DESCRIPTION
.I opieftpd
is the Internet File Transfer Protocol server process. The server uses the
TCP protocol and listens at the port specified in the ftp service
specification; see
.IR services (5).
.SH OPTIONS
.TP
.B \-d
Debugging information is written to the system logs.
.TP
.B \-l
Each
.IR ftp (1)
session is logged in the system logs.
.TP
.B \-t
The inactivity timeout period is set to
.I timeout
seconds (the default is 15 minutes).
.TP
.B \-T
A client may also request a different timeout period;
the maximum period allowed may be set to
.I maxtimeout
seconds with the
.B \-T
option. The default limit is 2 hours.
.B \-u
Set the default umask value to
.I umask.
.SH COMMANDS
The ftp server currently supports the following ftp
requests; case is not distinguished:
.PP
.nf
.ta \w'Request 'u
Request Description
ABOR abort previous command
ACCT specify account (ignored)
ALLO allocate storage (vacuously)
APPE append to a file
CDUP change to parent of current working directory
CWD change working directory
DELE delete a file
HELP give help information
LIST give a list of files in a directory
MKD make a directory
MDTM show last modification time of file
MODE specify data transfer mode
NLST give name list of files in directory
NOOP do nothing
PASS specify password
PASV prepare for server-to-server transfer
PORT specify data connection port
PWD print the current working directory
QUIT terminate session
REST restart incomplete transfer
RETR retrieve a file
RMD remove a directory
RNFR specify rename-from file name
RNTO specify rename-to file name
SITE non-standard commands (see next section)
SIZE return size of file
STAT return status of server
STOR store a file
STOU store a file with a unique name
STRU specify data transfer structure
SYST show operating system type of server system
TYPE specify data transfer type
USER specify user name
XCUP change to parent of current working directory (deprecated)
XCWD change working directory (deprecated)
XMKD make a directory (deprecated)
XPWD print the current working directory (deprecated)
XRMD remove a directory (deprecated)
.fi
The following non-standard or UNIX-specific commands are supported
by the SITE request:
.PP
.nf
.ta \w'Request 'u
Request Description
UMASK change umask (e.g. SITE UMASK 002)
IDLE set idle-timer (e.g. SITE IDLE 60)
CHMOD change mode of a file (e.g. SITE CHMOD 755 file)
HELP give help information (e.g. SITE HELP)
.fi
.sp
The remaining ftp requests specified in Internet RFC-959 are
recognized, but not implemented.
.sp
MDTM and SIZE are not specified in RFC-959, but will appear
in the next updated FTP RFC.
The ftp server will abort an active file transfer only when the
ABOR command is preceded by a Telnet "Interrupt Process" (IP)
signal and a Telnet "Synch" signal in the command Telnet stream,
as described in Internet RFC-959.
If a STAT command is received during a data transfer, preceded by
a Telnet IP and Synch, transfer status will be returned.
.I opieftpd
interprets file names according to the globbing conventions used by
.IR csh (1).
This allows users to utilize the metacharacters
\&*?[]{}~.
.sp
.I opieftpd
authenticates users according to three rules:
.sp
The user name must be in the password data base,
.I /etc/passwd,
and not have a null password. In this case, a password
must be provided by the client before any file operations
may be performed.
.sp
The user name must not appear in the file
.I /etc/ftpusers.
.sp
The user must have a standard shell returned by
.IR getusershell (3).
.sp
If the user name is
.I anonymous
or
.I ftp,
an anonymous ftp account must be present in the password
file (user
.I ftp ).
In this case, the user is allowed to log in by specifying any
password (by convention, this is given as the client host's name).
In the last case,
.I opieftpd
takes special measures to restrict the client's access privileges.
The server performs a
.IR chroot (2)
command to the home directory of the
.I ftp
user.
In order that system security is not breached, it is recommended
that the
.I ftp
subtree be constructed with care; the following
rules are recommended:
.sp
.TP
.B ~ftp
Make the home directory owned by
.I ftp
and unwritable by anyone.
.TP
.B ~ftp/bin
Make this directory owned by the super-user and unwritable by
anyone. The program
.IR ls (1)
must be present to support the LIST command. This
program should have mode 111.
.TP
.B ~ftp/etc
Make this directory owned by the super-user and unwritable by
anyone. The files
.IR passwd (5)
and
.IR group (5)
must be present for the
.IR ls (1)
command to be able to produce owner names rather than numbers.
The password field in
.I passwd
is not used, and should not contain real encrypted passwords.
These files should be mode 444.
.TP
.B ~ftp/pub
Make this directory mode 777 and owned by
.I ftp.
Users should then place files which are to be accessible via the
anonymous account in this directory.
.SH SEE ALSO
.BR ftpd (8),
.BR ftp (1),
.BR opie (4),
.BR opiekey (1),
.BR opiepasswd (1),
.BR opieinfo (1),
.BR opiesu (1),
.BR opieftpd (8),
.BR opiekeys (5),
.BR opieaccess (5)
.SH BUGS
The anonymous account is inherently dangerous and should
avoided when possible. In
.I opieftpd,
it is a compile-time option that should be disabled if it is not
being used.
The server must run as the super-user
to create sockets with privileged port numbers. It maintains
an effective user id of the logged in user, reverting to
the super-user only when binding addresses to sockets. The
possible security holes have been scrutinized, but are possibly incomplete.
.SH HISTORY
The
.I ftpd
command appeared in 4.2BSD.
.SH AUTHOR
Originally written for BSD,
.I ftpd
was modified at NRL by Randall Atkinson, Dan McDonald, and Craig Metz to
support OTP authentication.
.SH CONTACT
OPIE is discussed on the Bellcore "S/Key Users" mailing list. To join,
send an email request to:
.sp
skey-users-request@thumper.bellcore.com

1715
contrib/opie/opieftpd.c
View File

File diff suppressed because it is too large Load Diff

90
contrib/opie/opiegen.1
View File

@ -1,90 +0,0 @@
.\" opiegen.1: Manual page for the opiegen(1) program.
.\"
.\" %%% portions-copyright-cmetz-96
.\" Portions of this software are Copyright 1996-1999 by Craig Metz, All Rights
.\" Reserved. The Inner Net License Version 2 applies to these portions of
.\" the software.
.\" You should have received a copy of the license with this software. If
.\" you didn't get a copy, you may request one from <license@inner.net>.
.\"
.\" Portions of this software are Copyright 1995 by Randall Atkinson and Dan
.\" McDonald, All Rights Reserved. All Rights under this copyright are assigned
.\" to the U.S. Naval Research Laboratory (NRL). The NRL Copyright Notice and
.\" License Agreement applies to this software.
.\"
.\" History:
.\"
.\" Modified by cmetz for OPIE 2.4. Fixed *roff bug.
.\" Created by cmetz for OPIE 2.2 from opiekey.1.
.\"
.ll 6i
.pl 10.5i
.lt 6.0i
.TH OPIEKEY 1 "February 20, 1996"
.AT 3
.SH NAME
opiegen \- Example OPIE-based OTP generator
.SH SYNOPSIS
.B opiegen
.sp 0
[
.I challenge
]
.sp 0
.SH DESCRIPTION
.I opiegen
takes a properly formed OTP challenge either from the command line or from
standard input, prompts the user for a secret pass phrase, and generates an
OTP response to that challenge. It is intended as an example for programmers
of how a simple OTP generator can be built. Users should probably use the
.I opiekey
program instead.
.SH EXAMPLE
.sp 0
wintermute$ opiegen otp-md5 495 wi01309
.sp 0
Secret Pass Phrase:
.sp 0
GILL HUED GOES CHUM LIEU VAIN
.sp 0
wintermute$
.LP
.SH BUGS
.BR opiegen(1)
can lull a user into revealing his/her password when remotely logged in, thus
defeating the purpose of OPIE. This is especially a problem with xterm.
.BR opiegen(1)
implements simple checks to reduce the risk of a user making
this mistake. Better checks are needed.
.LP
.SH SEE ALSO
.BR opiekey (1),
.BR opieserv (1),
.BR opie (4),
.BR opiepasswd (1),
.BR opieinfo (1),
.BR opiesu (1),
.BR opielogin (1),
.BR opieftpd (8),
.BR opiekeys (5),
.BR opieaccess (5)
.SH AUTHOR
The opiegen(1) program was created by Craig Metz for OPIE 2.2.
Bellcore's S/Key was written by Phil Karn, Neil M. Haller, and John S. Walden
of Bellcore. OPIE was created at NRL by Randall Atkinson, Dan McDonald, and
Craig Metz.
S/Key is a trademark of Bell Communications Research (Bellcore).
.SH CONTACT
OPIE is discussed on the Bellcore "S/Key Users" mailing list. To join,
send an email request to:
.sp
skey-users-request@thumper.bellcore.com

88
contrib/opie/opiegen.c
View File

@ -1,88 +0,0 @@
/* opiegen.c: Sample OTP generator based on the opiegenerator()
library routine.
%%% portions-copyright-cmetz-96
Portions of this software are Copyright 1996-1999 by Craig Metz, All Rights
Reserved. The Inner Net License Version 2 applies to these portions of
the software.
You should have received a copy of the license with this software. If
you didn't get a copy, you may request one from <license@inner.net>.
History:
Modified by cmetz for OPIE 2.3. OPIE_PASS_MAX changed to
OPIE_SECRET_MAX. Send debug info to syslog.
Modified by cmetz for OPIE 2.2. Use FUNCTION definition et al.
Fixed include order.
Created at NRL for OPIE 2.2.
*/
#include "opie_cfg.h"
#include <stdio.h>
#if DEBUG
#include <syslog.h>
#endif /* DEBUG */
#include "opie.h"
int main FUNCTION((argc, argv), int argc AND char *argv[])
{
char buffer[OPIE_CHALLENGE_MAX+1];
char secret[OPIE_SECRET_MAX+1];
char response[OPIE_RESPONSE_MAX+1];
int result;
if (opieinsecure()) {
fputs("Sorry, but you don't seem to be on a secure terminal.\n", stderr);
#if !DEBUG
exit(1);
#endif /* !DEBUG */
}
if (argc <= 1) {
fputs("Challenge: ", stderr);
if (!opiereadpass(buffer, sizeof(buffer)-1, 1))
fprintf(stderr, "Error reading challenge!");
} else {
char *ap, *ep, *c;
int i;
ep = buffer + sizeof(buffer) - 1;
for (i = 1, ap = buffer; (i < argc) && (ap < ep); i++) {
c = argv[i];
while ((*(ap++) = *(c++)) && (ap < ep));
*(ap - 1) = ' ';
}
*(ap - 1) = 0;
#if DEBUG
syslog(LOG_DEBUG, "opiegen: challenge is +%s+\n", buffer);
#endif /* DEBUG */
}
buffer[sizeof(buffer)-1] = 0;
fputs("Secret pass phrase: ", stderr);
if (!opiereadpass(secret, OPIE_SECRET_MAX, 0)) {
fputs("Error reading secret pass phrase!\n", stderr);
exit(1);
};
switch (result = opiegenerator(buffer, secret, response)) {
case -2:
fputs("Not a valid OTP secret pass phrase.\n", stderr);
break;
case -1:
fputs("Error processing challenge!\n", stderr);
break;
case 1:
fputs("Not a valid OTP challenge.\n", stderr);
break;
case 0:
fputs(response, stdout);
fputc('\n', stdout);
fflush(stdout);
memset(secret, 0, sizeof(secret));
exit(0);
default:
fprintf(stderr, "Unknown error %d!\n", result);
}
memset(secret, 0, sizeof(secret));
return 1;
}

103
contrib/opie/opieinfo.1
View File

@ -1,103 +0,0 @@
.\" opieinfo.1: Manual page for the opieinfo(1) program.
.\"
.\" %%% portions-copyright-cmetz-96
.\" Portions of this software are Copyright 1996-1999 by Craig Metz, All Rights
.\" Reserved. The Inner Net License Version 2 applies to these portions of
.\" the software.
.\" You should have received a copy of the license with this software. If
.\" you didn't get a copy, you may request one from <license@inner.net>.
.\"
.\" Portions of this software are Copyright 1995 by Randall Atkinson and Dan
.\" McDonald, All Rights Reserved. All Rights under this copyright are assigned
.\" to the U.S. Naval Research Laboratory (NRL). The NRL Copyright Notice and
.\" License Agreement applies to this software.
.\"
.\" History:
.\"
.\" Modified by cmetz for OPIE 2.2. Removed MJR DES documentation.
.\" Modified at NRL for OPIE 2.0.
.\" Written at Bellcore for the S/Key Version 1 software distribution
.\" (keyinfo.1).
.\"
.\" $FreeBSD$
.ll 6i
.pl 10.5i
.lt 6.0i
.TH OPIEINFO 1 "January 10, 1995"
.AT 3
.SH NAME
opieinfo \- Extract sequence number and seed for future OPIE challenges.
.SH SYNOPSIS
.B opieinfo
[\-v] [\-h] [
.I user_name
]
.SH DEPRECATION NOTICE
OPIE is deprecated, and may not be available in FreeBSD 14.0 and later.
.SH DESCRIPTION
.I opieinfo
takes an optional user name and writes the current sequence number
and seed found in the OPIE key database for either the current user
or the user specified. opiekey is compatible with the
.IR keyinfo (1)
program
from Bellcore's S/Key Version 1 except that specification of a remote
system name is not permitted.
.sp
.I opieinfo
can be used to generate a listing of your future OPIE responses
if you are going to be without an OPIE calculator and still need to log into
the system. To do so, you would run something like:
.sp
.B opiekey \-n 42 `opieinfo`
.SH OPTIONS
.TP
.B \-v
Display the version number and compile-time options, then exit.
.TP
.B \-h
Display a brief help message and exit.
.TP
.B <user_name>
The name of a user whose key information you wish to display. The default is
the user running opieinfo.
.SH EXAMPLE
.sp 0
wintermute$ opieinfo
.sp 0
495 wi01309
.sp 0
wintermute$
.LP
.SH FILES
.TP
/etc/opiekeys -- database of key information for the OPIE system.
.SH SEE ALSO
.BR opie (4),
.BR opiekey (1),
.BR opiepasswd (1),
.BR su (1),
.BR login (1),
.BR ftpd (8),
.BR opiekeys (5)
.BR opieaccess (5)
.SH AUTHOR
Bellcore's S/Key was written by Phil Karn, Neil M. Haller, and John S. Walden
of Bellcore. OPIE was created at NRL by Randall Atkinson, Dan McDonald, and
Craig Metz.
S/Key is a trademark of Bell Communications Research (Bellcore).
.SH CONTACT
OPIE is discussed on the Bellcore "S/Key Users" mailing list. To join,
send an email request to:
.sp
skey-users-request@thumper.bellcore.com

105
contrib/opie/opieinfo.c
View File

@ -1,105 +0,0 @@
/*
opieinfo: Print a user's current OPIE sequence number and seed
%%% portions-copyright-cmetz-96
Portions of this software are Copyright 1996-1999 by Craig Metz, All Rights
Reserved. The Inner Net License Version 2 applies to these portions of
the software.
You should have received a copy of the license with this software. If
you didn't get a copy, you may request one from <license@inner.net>.
Portions of this software are Copyright 1995 by Randall Atkinson and Dan
McDonald, All Rights Reserved. All Rights under this copyright are assigned
to the U.S. Naval Research Laboratory (NRL). The NRL Copyright Notice and
License Agreement applies to this software.
History:
Modified by cmetz for OPIE 2.3. Removed unneeded debug message.
Modified by cmetz for OPIE 2.2. Use FUNCTION definition et al.
Fixed include order. Make everything static. Ifdef around
some headers.
Modified at NRL for OPIE 2.1. Substitute @@KEY_FILE@@. Re-write in
C.
Modified at NRL for OPIE 2.01. Remove hard-coded paths for grep and
awk and let PATH take care of it. Substitute for Makefile
variables $(EXISTS) and $(KEY_FILE). Only compute $WHO if
there's a key file. Got rid of grep since awk can do the job
itself.
Modified at NRL for OPIE 2.0.
Written at Bellcore for the S/Key Version 1 software distribution
(keyinfo)
$FreeBSD$
*/
#include "opie_cfg.h"
#include <sys/param.h>
#include <errno.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#if HAVE_UNISTD_H
#include <unistd.h>
#endif /* HAVE_UNISTD_H */
#include "opie.h"
/* extern char *optarg; */
/* extern int errno, optind; */
static char *getusername FUNCTION_NOARGS
{
char *login;
login = getlogin();
if (login == NULL) {
fprintf(stderr, "Cannot find login name\n");
exit(1);
}
return login;
}
int main FUNCTION((argc, argv), int argc AND char *argv[])
{
char *username;
struct opie opie;
int i;
while ((i = getopt(argc, argv, "hv")) != EOF) {
switch (i) {
case 'v':
opieversion();
case 'h':
default:
fprintf(stderr, "usage: %s [-h] [-v] [user_name]\n", argv[0]);
exit(0);
}
}
if (optind < argc) {
if (getuid() != 0) {
fprintf(stderr, "Only superuser may get another user's keys\n");
exit(1);
}
username = argv[optind];
} else
username = getusername();
if (strlen(username) >= MAXLOGNAME) {
fprintf(stderr, "Username too long.\n");
exit(1);
}
if ((i = opielookup(&opie, username)) && (i != 2)) {
if (i < 0)
fprintf(stderr, "Error opening database! (errno = %d)\n", errno);
else
fprintf(stderr, "%s not found in database.\n", username);
exit(1);
}
printf("%d %s\n", opie.opie_n - 1, opie.opie_seed);
return 0;
}

176
contrib/opie/opiekey.1
View File

@ -1,176 +0,0 @@
.\" opiekey.1: Manual page for the opiekey(1) program.
.\"
.\" %%% portions-copyright-cmetz-96
.\" Portions of this software are Copyright 1996-1999 by Craig Metz, All Rights
.\" Reserved. The Inner Net License Version 2 applies to these portions of
.\" the software.
.\" You should have received a copy of the license with this software. If
.\" you didn't get a copy, you may request one from <license@inner.net>.
.\"
.\" Portions of this software are Copyright 1995 by Randall Atkinson and Dan
.\" McDonald, All Rights Reserved. All Rights under this copyright are assigned
.\" to the U.S. Naval Research Laboratory (NRL). The NRL Copyright Notice and
.\" License Agreement applies to this software.
.\"
.\" History:
.\"
.\" Modified by cmetz for OPIE 2.3. Added -t documentation. Removed
.\" opie-bugs pointer. Removed opie-md5 and opie-md4 names. Fixed
.\" a bolding bug. Added -f flag. Added escapes on flags. Minor
.\" editorial changes. Updated example.
.\" Modified by cmetz for OPIE 2.2. Removed MJR DES documentation.
.\" Re-worded retype documentation. Added opiegen reference.
.\" Added -x documentation.
.\" Modified at NRL for OPIE 2.0.
.\" Written at Bellcore for the S/Key Version 1 software distribution
.\" (key.1).
.\"
.\" $FreeBSD$
.ll 6i
.pl 10.5i
.lt 6.0i
.TH OPIEKEY 1 "February 20, 1996"
.AT 3
.SH NAME
opiekey, otp-md4, otp-md5 \- Programs for computing responses to OTP challenges.
.SH SYNOPSIS
.B opiekey
|
.B otp-md4
|
.B otp-md5
[\-v] [\-h] [\-f] [\-x]
.sp 0
[\-t
.I
type
] [\-4|\-5]
[\-a] [\-n
.I count
]
.I sequence_number seed
.sp 0
.SH DEPRECATION NOTICE
OPIE is deprecated, and may not be available in FreeBSD 14.0 and later.
.SH DESCRIPTION
.I opiekey
takes the optional count of the number of responses to
print along with a (maximum) sequence number and seed as command line
args. It prompts for the user's secret pass phrase and produces an OPIE
response as six words. If compiled to do so, it can prompt for the user's
secret pass phrase twice to help reduce errors due to mistypes. The second
password entry can be circumvented by entering only an end of line.
.I opiekey
is downward compatible with the
.IR key (1)
program from the Bellcore S/Key Version 1 distribution and several of its
variants.
.SH OPTIONS
.TP
.B \-v
Display the version number and compile-time options, then exit.
.TP
.B \-h
Display a brief help message and exit.
.TP
.B \-4, \-5
Selects MD4 or MD5, respectively, as the response generation algorithm. The
default for otp-md4 is MD4 and the default for opie-md5 is MD5. The default
for opiekey depends on compile-time configuration, but should be MD5. MD4 is
compatible with the Bellcore S/Key Version 1 distribution.
.TP
.B \-f
Force
.I opiekey
to continue, even where it normally shouldn't. This is currently used to
force opiekey to operate in even from terminals it believes to be insecure.
It can also allow users to disclose their secret pass phrases to attackers.
Use of the -f flag may be disabled by compile-time option in your particular
build of OPIE.
.TP
.B \-a
Allows you to input an arbitrary secret pass phrase, instead of running checks
against it. Arbitrary currently does not include '\\0' or '\\n' characters. This
can be used for backwards compatibility with key generators that do not check
passwords.
.TP
.B \-n <count>
the number of one time access passwords to print.
The default is one.
.TP
.B \-x
Output the OTPs as hexadecimal numbers instead of six words.
.TP
.B \-t <type>
Generate an extended response of the specified type. Supported types are:
.sp 1
word six-word
.sp 0
hex hexadecimal
.sp 0
init hexadecimal re-initialization
.sp 0
init-word six-word re-initialization
.sp 1
The re-initialization responses
.I always
generate the simple active attack protection.
.TP
.SH EXAMPLE
.sp 0
wintermute$ opiekey \-5 \-n 5 495 wi01309
.sp 0
Using MD5 algorithm to compute response.
.sp 0
Reminder: Don't use opiekey from telnet or dial-in sessions.
.sp 0
Enter secret pass phrase:
.sp 0
491: HOST VET FOWL SEEK IOWA YAP
.sp 0
492: JOB ARTS WERE FEAT TILE IBIS
.sp 0
493: TRUE BRED JOEL USER HALT EBEN
.sp 0
494: HOOD WED MOLT PAN FED RUBY
.sp 0
495: SUB YAW BILE GLEE OWE NOR
.sp 0
wintermute$
.LP
.SH BUGS
.BR opiekey(1)
can lull a user into revealing his/her password when remotely logged in, thus
defeating the purpose of OPIE. This is especially a problem with xterm.
.BR opiekey(1)
implements simple checks to reduce the risk of a user making
this mistake. Better checks are needed.
.LP
.SH SEE ALSO
.BR ftpd (8),
.BR login (1),
.BR opie (4),
.BR opiepasswd (1),
.BR opieinfo (1),
.BR opiekeys (5),
.BR opieaccess (5),
.BR su (1)
.SH AUTHOR
Bellcore's S/Key was written by Phil Karn, Neil M. Haller, and John S. Walden
of Bellcore. OPIE was created at NRL by Randall Atkinson, Dan McDonald, and
Craig Metz.
S/Key is a trademark of Bell Communications Research (Bellcore).
.SH CONTACT
OPIE is discussed on the Bellcore "S/Key Users" mailing list. To join,
send an email request to:
.sp
skey-users-request@thumper.bellcore.com

347
contrib/opie/opiekey.c
View File

@ -1,347 +0,0 @@
/* opiekey.c: Stand-alone program for computing responses to OTP challenges.
Takes a sequence number and seed (presumably from an OPIE challenge)
as command line arguments, prompts for the user's secret pass phrase,
and outputs a response.
%%% portions-copyright-cmetz-96
Portions of this software are Copyright 1996-1999 by Craig Metz, All Rights
Reserved. The Inner Net License Version 2 applies to these portions of
the software.
You should have received a copy of the license with this software. If
you didn't get a copy, you may request one from <license@inner.net>.
Portions of this software are Copyright 1995 by Randall Atkinson and Dan
McDonald, All Rights Reserved. All Rights under this copyright are assigned
to the U.S. Naval Research Laboratory (NRL). The NRL Copyright Notice and
License Agreement applies to this software.
History:
Modified by cmetz for OPIE 2.4. Use struct opie_key for key blocks.
Modified by cmetz for OPIE 2.31. Renamed "init" and RESPONSE_INIT
to "init-hex" and RESPONSE_INIT_HEX. Removed active attack
protection support.
Modified by cmetz for OPIE 2.3. OPIE_PASS_MAX changed to
OPIE_SECRET_MAX. Added extended responses, which created
lots of changes. Eliminated extra variable. Added -x and
-t to help. Added -f flag. Added SHA support.
Modified by cmetz for OPIE 2.22. Print newline after seed too long
message. Check for minimum seed length. Correct a grammar
error.
Modified at NRL for OPIE 2.2. Check opiereadpass() return.
Change opiereadpass() calls to add echo arg. Use FUNCTION
definition et al. Check seed length here, too. Added back
hex output. Reworked final output function.
Modified at NRL for OPIE 2.0.
Written at Bellcore for the S/Key Version 1 software distribution
(skey.c).
$FreeBSD$
*/
#include "opie_cfg.h"
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
#include "opie.h"
#ifdef __MSDOS__
#include <dos.h>
#endif
#if HAVE_FCNTL_H
#include <fcntl.h>
#endif /* HAVE_FCNTL_H */
extern char *optarg;
extern int optind, opterr;
int aflag = 0;
char *algnames[] = { NULL, NULL, NULL, "SHA-1", "MD4", "MD5" };
char *algids[] = { NULL, NULL, NULL, "sha1", "md4", "md5" };
/******** Begin real source code ***************/
static VOIDRET usage FUNCTION((s), char *s)
{
fprintf(stderr, "usage: %s [-v] [-h] [-f] [-x] [-t type] [-4 | -5 | -s] [-a] [-n count] sequence_number seed\n", s);
exit(1);
}
#define RESPONSE_STANDARD 0
#define RESPONSE_WORD 1
#define RESPONSE_HEX 2
#define RESPONSE_INIT_HEX 3
#define RESPONSE_INIT_WORD 4
#define RESPONSE_UNKNOWN 5
struct _rtrans {
int type;
char *name;
};
static struct _rtrans rtrans[] = {
{ RESPONSE_WORD, "word" },
{ RESPONSE_HEX, "hex" },
{ RESPONSE_INIT_HEX, "init-hex" },
{ RESPONSE_INIT_WORD, "init-word" },
{ RESPONSE_STANDARD, "" },
{ RESPONSE_STANDARD, "standard" },
{ RESPONSE_STANDARD, "otp" },
{ RESPONSE_UNKNOWN, NULL }
};
static void getsecret FUNCTION((secret, promptextra, retype), char *secret AND char *promptextra AND int flags)
{
fprintf(stderr, "Enter %ssecret pass phrase: ", promptextra);
if (!opiereadpass(secret, OPIE_SECRET_MAX, 0)) {
fprintf(stderr, "Error reading %ssecret pass phrase!\n", promptextra);
exit(1);
}
if (secret[0] && (flags & 1)) {
char verify[OPIE_SECRET_MAX + 1];
fprintf(stderr, "Again %ssecret pass phrase: ", promptextra);
if (!opiereadpass(verify, OPIE_SECRET_MAX, 0)) {
fprintf(stderr, "Error reading %ssecret pass phrase!\n", promptextra);
memset(verify, 0, sizeof(verify));
memset(secret, 0, OPIE_SECRET_MAX + 1);
exit(1);
}
if (verify[0] && strcmp(verify, secret)) {
fprintf(stderr, "They don't match. Try again.\n");
memset(verify, 0, sizeof(verify));
memset(secret, 0, OPIE_SECRET_MAX + 1);
exit(1);
}
memset(verify, 0, sizeof(verify));
}
if (!(flags & 2) && !aflag && opiepasscheck(secret)) {
memset(secret, 0, OPIE_SECRET_MAX + 1);
fprintf(stderr, "Secret pass phrases must be between %d and %d characters long.\n", OPIE_SECRET_MIN, OPIE_SECRET_MAX);
exit(1);
};
}
int main FUNCTION((argc, argv), int argc AND char *argv[])
{
/* variable declarations */
unsigned algorithm = MDX; /* default algorithm per Makefile's MDX
symbol */
int keynum = 0;
int i;
int count = 1;
char secret[OPIE_SECRET_MAX + 1], newsecret[OPIE_SECRET_MAX + 1];
struct opie_otpkey key, newkey;
char *seed, newseed[OPIE_SEED_MAX + 1];
char response[OPIE_RESPONSE_MAX + 1];
char *slash;
int hex = 0;
int type = RESPONSE_STANDARD;
int force = 0;
if (slash = strrchr(argv[0], '/'))
slash++;
else
slash = argv[0];
if (!strcmp(slash, "key") || strstr(slash, "md4"))
algorithm = 4;
if (strstr(slash, "md5"))
algorithm = 5;
if (strstr(slash, "sha"))
algorithm = 3;
while ((i = getopt(argc, argv, "fhvn:x45at:s")) != EOF) {
switch (i) {
case 'v':
opieversion();
case 'n':
count = atoi(optarg);
break;
case 'x':
hex = 1;
break;
case 'f':
#if INSECURE_OVERRIDE
force = 1;
#else /* INSECURE_OVERRIDE */
fprintf(stderr, "Sorry, but the -f option is not supported by this build of OPIE.\n");
#endif /* INSECURE_OVERRIDE */
break;
case '4':
/* use MD4 algorithm */
algorithm = 4;
break;
case '5':
/* use MD5 algorithm */
algorithm = 5;
break;
case 'a':
aflag = 1;
break;
case 't':
{
struct _rtrans *r;
for (r = rtrans; r->name && strcmp(r->name, optarg); r++);
if (!r->name) {
fprintf(stderr, "%s: %s: unknown response type.\n", argv[0], optarg);
exit(1);
}
type = r->type;
}
break;
case 's':
algorithm = 3;
break;
default:
usage(argv[0]);
}
}
if ((argc - optind) < 2)
usage(argv[0]);
fprintf(stderr, "Using the %s algorithm to compute response.\n", algnames[algorithm]);
/* get sequence number, which is next-to-last parameter */
keynum = atoi(argv[optind]);
if (keynum < 1) {
fprintf(stderr, "Sequence number %s is not positive.\n", argv[optind]);
exit(1);
}
/* get seed string, which is last parameter */
seed = argv[optind + 1];
{
i = strlen(seed);
if (i > OPIE_SEED_MAX) {
fprintf(stderr, "Seeds must be less than %d characters long.\n", OPIE_SEED_MAX);
exit(1);
}
if (i < OPIE_SEED_MIN) {
fprintf(stderr, "Seeds must be greater than %d characters long.\n", OPIE_SEED_MIN);
exit(1);
}
}
fprintf(stderr, "Reminder: Don't use opiekey from telnet or dial-in sessions.\n");
if (opieinsecure()) {
fprintf(stderr, "Sorry, but you don't seem to be on the console or a secure terminal.\n");
#if INSECURE_OVERRIDE
if (force)
fprintf(stderr, "Warning: Continuing could disclose your secret pass phrase to an attacker!\n");
else
#endif /* INSECURE_OVERRIDE */
exit(1);
}
if ((type == RESPONSE_INIT_HEX) || (type == RESPONSE_INIT_WORD)) {
#if RETYPE
getsecret(secret, "old ", 1);
#else /* RETYPE */
getsecret(secret, "old ", 0);
#endif /* RETYPE */
getsecret(newsecret, "new ", 1);
if (!newsecret[0])
strcpy(newsecret, secret);
if (opienewseed(strcpy(newseed, seed)) < 0) {
fprintf(stderr, "Error updating seed.\n");
goto error;
}
if (opiekeycrunch(algorithm, &newkey, newseed, newsecret)) {
fprintf(stderr, "%s: key crunch failed (1)\n", argv[0]);
goto error;
}
for (i = 0; i < 499; i++)
opiehash(&newkey, algorithm);
} else
#if RETYPE
getsecret(secret, "", 1);
#else /* RETYPE */
getsecret(secret, "", 0);
#endif /* RETYPE */
/* Crunch seed and secret password into starting key normally */
if (opiekeycrunch(algorithm, &key, seed, secret)) {
fprintf(stderr, "%s: key crunch failed\n", argv[0]);
goto error;
}
for (i = 0; i <= (keynum - count); i++)
opiehash(&key, algorithm);
{
char buf[OPIE_SEED_MAX + 48 + 1];
char *c;
for (; i <= keynum; i++) {
if (count > 1)
printf("%d: %s", i, (type == RESPONSE_STANDARD) ? "" : "\n");
switch(type) {
case RESPONSE_STANDARD:
if (hex)
opiebtoh(response, &key);
else
opiebtoe(response, &key);
break;
case RESPONSE_WORD:
strcpy(response, "word:");
strcat(response, opiebtoe(buf, &key));
break;
case RESPONSE_HEX:
strcpy(response, "hex:");
strcat(response, opiebtoh(buf, &key));
break;
case RESPONSE_INIT_HEX:
case RESPONSE_INIT_WORD:
if (type == RESPONSE_INIT_HEX) {
strcpy(response, "init-hex:");
strcat(response, opiebtoh(buf, &key));
sprintf(buf, ":%s 499 %s:", algids[algorithm], newseed);
strcat(response, buf);
strcat(response, opiebtoh(buf, &newkey));
} else {
strcpy(response, "init-word:");
strcat(response, opiebtoe(buf, &key));
sprintf(buf, ":%s 499 %s:", algids[algorithm], newseed);
strcat(response, buf);
strcat(response, opiebtoe(buf, &newkey));
}
break;
}
puts(response);
opiehash(&key, algorithm);
}
}
memset(secret, 0, sizeof(secret));
memset(newsecret, 0, sizeof(newsecret));
return 0;
error:
memset(secret, 0, sizeof(secret));
memset(newsecret, 0, sizeof(newsecret));
return 1;
}

72
contrib/opie/opiekeys.5
View File

@ -1,72 +0,0 @@
.\" opiekeys.5: Manual page describing the /etc/opiekeys file.
.\"
.\" Portions of this software are Copyright 1995 by Randall Atkinson and Dan
.\" McDonald, All Rights Reserved. All Rights under this copyright are assigned
.\" to the U.S. Naval Research Laboratory (NRL). The NRL Copyright Notice and
.\" License Agreement applies to this software.
.\"
.\" History:
.\"
.\" Modified by cmetz for OPIE 2.32. This is opiekeys.5, not opiekeys.1 or
.\" opieaccess.5.
.\" Written at NRL for OPIE 2.0.
.\"
.ll 6i
.pl 10.5i
.\" @(#)opiekeys.5 2.0 (NRL) 1/10/95
.\" $FreeBSD$
.\"
.lt 6.0i
.TH OPIEKEYS 5 "January 10, 1995"
.AT 3
.SH NAME
/etc/opiekeys \- OPIE database of user key information
.SH DEPRECATION NOTICE
OPIE is deprecated, and may not be available in FreeBSD 14.0 and later.
.SH DESCRIPTION
The
.I opiekeys
file contains user information used by the OPIE software to authenticate
users. The
.I opiekeys
file is backwards compatible with the S/Key
.I /etc/skeykeys
database file, but only if the hashing algorithm (MD4 and MD5) is the same
between S/Key and OPIE (i.e., MD5 OPIE cannot use MD4 S/Key keys). The
.I opiekeys
file consists of six fields separated by spaces (tabs are properly
interpreted, but spaces should be used instead) as follows:
.PP
.nf
.ta \w' 'u
Field Description
name User's login name.
sequence User's sequence number.
seed User's seed.
key User's last response (hex).
date Last change date.
time Last change time.
.fi
.SH SEE ALSO
.BR ftpd (8)
.BR login (1),
.BR opie (4),
.BR opiekeys (5),
.BR opiepasswd (1),
.BR opieinfo (1),
.BR su (1),
.SH AUTHOR
Bellcore's S/Key was written by Phil Karn, Neil M. Haller, and John S. Walden
of Bellcore. OPIE was created at NRL by Randall Atkinson, Dan McDonald, and
Craig Metz.
S/Key is a trademark of Bell Communications Research (Bellcore).
.SH CONTACT
OPIE is discussed on the Bellcore "S/Key Users" mailing list. To join,
send an email request to:
.sp
skey-users-request@thumper.bellcore.com

131
contrib/opie/opielogin.1
View File

@ -1,131 +0,0 @@
.\" opielogin.1: Manual page for the opielogin(1) program.
.\"
.\" %%% portions-copyright-cmetz-96
.\" Portions of this software are Copyright 1996-1999 by Craig Metz, All Rights
.\" Reserved. The Inner Net License Version 2 applies to these portions of
.\" the software.
.\" You should have received a copy of the license with this software. If
.\" you didn't get a copy, you may request one from <license@inner.net>.
.\"
.\" Portions of this software are Copyright 1995 by Randall Atkinson and Dan
.\" McDonald, All Rights Reserved. All Rights under this copyright are assigned
.\" to the U.S. Naval Research Laboratory (NRL). The NRL Copyright Notice and
.\" License Agreement applies to this software.
.\"
.\" History:
.\"
.\" Modified by cmetz for OPIE 2.2. Removed MJR DES documentation.
.\" Modified at NRL for OPIE 2.0.
.\" Option descriptions added from BSD.
.\" Written at Bellcore for the S/Key Version 1 software distribution
.\" (keylogin.1).
.\"
.ll 6i
.pl 10.5i
.lt 6.0i
.TH OPIELOGIN 1 "January 10, 1995"
.AT 3
.SH NAME
opielogin \- Replacement for login(1) that issues OPIE challenges.
.SH SYNOPSIS
.B opielogin
[ -p ] [ -r
.I hostname
| -h
.I hostname
| -f
.I username
.sp 0
|
.I username
]
.SH DESCRIPTION
.I opielogin
provides a replacement for the
.IR login (1)
program that provides OPIE challenges
to users and accepts OPIE responses. It is downward compatible with the
.IR keylogin(1)
program from the Bellcore S/Key Version 1 distribution, which, in
turn, is downward compatible with the
.IR login(1)
program from the 4.3BSD Net/2 distribution.
.SH OPTIONS
.TP
.B \-p
By default, login discards any previous environment. The \-p
option disables this behavior.
.TP
.B \-r
Process remote login from
.I hostname.
.TP
.B \-h
The -h option specifies the host from which the connection was
received. It is used by various daemons such as telnetd(8).
This option may only be used by the super\-user.
.TP
.B \-f
The -f option is used when a user name is specified to indicate
that proper authentication has already been done and that no
password need be requested. This option may only be used by the
super\-user or when an already logged in user is logging in as
themselves.
.TP
.I username
The user name to log in as.
.SH EXAMPLE
.sp 0
wintermute$ opielogin
.sp 0
login: kebe
.sp 0
otp-md5 499 wi43143
.sp 0
Password: (echo on)
.sp 0
Password:SLY BLOB TOUR POP BRED EDDY
.sp 0
.sp 0
Welcome to wintermute.
.sp 0
.sp 0
wintermute$
.LP
.SH FILES
.TP
/etc/opiekeys -- database of information for the OPIE system.
.TP
/etc/opieaccess -- list of safe and unsafe networks and masks to go with them.
.TP
$HOME/.opiealways -- presence makes OPIE for logins mandatory for the user.
.SH SEE ALSO
.BR login (1),
.BR opie (4),
.BR opiekey (1),
.BR opiepasswd (1),
.BR opieinfo (1),
.BR opiesu (1),
.BR opieftpd (8),
.BR opiekeys (5),
.BR opieaccess (5)
.SH AUTHOR
Bellcore's S/Key was written by Phil Karn, Neil M. Haller, and John S. Walden
of Bellcore. OPIE was created at NRL by Randall Atkinson, Dan McDonald, and
Craig Metz.
S/Key is a trademark of Bell Communications Research (Bellcore).
.SH CONTACT
OPIE is discussed on the Bellcore "S/Key Users" mailing list. To join,
send an email request to:
.sp
skey-users-request@thumper.bellcore.com

1458
contrib/opie/opielogin.c
View File

File diff suppressed because it is too large Load Diff

181
contrib/opie/opiepasswd.1
View File

@ -1,181 +0,0 @@
.\" opiepasswd.1: Manual page for the opiepasswd(1) program.
.\"
.\" %%% portions-copyright-cmetz-96
.\" Portions of this software are Copyright 1996-1999 by Craig Metz, All Rights
.\" Reserved. The Inner Net License Version 2 applies to these portions of
.\" the software.
.\" You should have received a copy of the license with this software. If
.\" you didn't get a copy, you may request one from <license@inner.net>.
.\"
.\" Portions of this software are Copyright 1995 by Randall Atkinson and Dan
.\" McDonald, All Rights Reserved. All Rights under this copyright are assigned
.\" to the U.S. Naval Research Laboratory (NRL). The NRL Copyright Notice and
.\" License Agreement applies to this software.
.\"
.\" History:
.\"
.\" Modified by cmetz for OPIE 2.4. Fixed spelling bug.
.\" Modified by cmetz for OPIE 2.3. Added -f flag documentation.
.\" Updated console example.
.\" Modified by cmetz for OPIE 2.2. Removed MJR DES documentation.
.\" Modified at NRL for OPIE 2.0.
.\" Written at Bellcore for the S/Key Version 1 software distribution
.\" (keyinit.1).
.\"
.\" $FreeBSD$
.ll 6i
.pl 10.5i
.lt 6.0i
.TH OPIEPASSWD 1 "January 10, 1995"
.AT 3
.SH NAME
opiepasswd \- Change or set a user's password for the OPIE authentication
system.
.SH SYNOPSIS
.B opiepasswd
[\-v] [\-h] [\-c|\-d] [\-f]
.sp 0
[\-n
.I initial_sequence_number
]
[\-s
.I seed
] [
.I user_name
]
.SH DEPRECATION NOTICE
OPIE is deprecated, and may not be available in FreeBSD 14.0 and later.
.SH DESCRIPTION
.I opiepasswd
will initialize the system information to allow one to use OPIE to login.
.I opiepasswd
is downward compatible with the keyinit(1) program from the
Bellcore S/Key Version 1 distribution.
.SH OPTIONS
.TP
.TP
.B \-v
Display the version number and compile-time options, then exit.
.TP
.B \-h
Display a brief help message and exit.
.TP
.B \-c
Set console mode where the user is expected to have secure access to the
system. In console mode, you will be asked to input your password directly
instead of having to use an OPIE calculator. If you do not have secure access
to the system (i.e., you are not on the system's console), you are
volunteering your password to attackers by using this mode.
.TP
.B \-d
Disable OTP logins to the specified account.
.TP
.B \-f
Force
.I opiepasswd
to continue, even where it normally shouldn't. This is currently used to
force opiepasswd to operate in "console" mode even from terminals it believes
to be insecure. It can also allow users to disclose their secret pass phrases
to attackers. Use of the -f flag may be disabled by compile-time option in
your particular build of OPIE.
.TP
.B \-n
Manually specify the initial sequence number. The default is 499.
.TP
.B \-s
Specify a non-random seed. The default is to generate a "random" seed using
the first two characters of the host name and five pseudo-random digits.
.SH EXAMPLE
Using
.I opiepasswd
from the console:
.LP
.sp 0
wintermute$ opiepasswd \-c
.sp 0
Updating kebe:
.sp 0
Reminder \- Only use this method from the console; NEVER from remote. If you
.sp 0
are using telnet, xterm, or a dial\-in, type ^C now or exit with no password.
.sp 0
Then run opiepasswd without the \-c parameter.
.sp 0
Using MD5 to compute responses.
.sp 0
Enter old secret pass phrase:
.sp 0
Enter new secret pass phrase:
.sp 0
Again new secret pass phrase:
.sp 0
.sp 0
ID kebe OPIE key is 499 be93564
.sp 0
CITE JAN GORY BELA GET ABED
.sp 0
wintermute$
.LP
Using
.I opiepasswd
from remote:
.LP
.sp 0
wintermute$ opiepasswd
.sp 0
Updating kebe:
.sp 0
Reminder: You need the response from your OPIE calculator.
.sp 0
Old secret password:
.sp 0
otp-md5 482 wi93563
.sp 0
Response: FIRM BERN THEE DUCK MANN AWAY
.sp 0
New secret password:
.sp 0
otp-md5 499 wi93564
.sp 0
Response: SKY FAN BUG HUFF GUS BEAT
.sp 0
.sp 0
ID kebe OPIE key is 499 wi93564
.sp 0
SKY FAN BUG HUFF GUS BEAT
.sp 0
wintermute$
.LP
.SH FILES
.TP
/etc/opiekeys -- database of key information for the OPIE system.
.SH SEE ALSO
.BR ftpd (8),
.BR login (1),
.BR passwd (1),
.BR opie (4),
.BR opiekey (1),
.BR opieinfo (1),
.BR su (1),
.BR opiekeys (5),
.BR opieaccess (5)
.SH AUTHOR
Bellcore's S/Key was written by Phil Karn, Neil M. Haller, and John S. Walden
of Bellcore. OPIE was created at NRL by Randall Atkinson, Dan McDonald, and
Craig Metz.
S/Key is a trademark of Bell Communications Research (Bellcore).
.SH CONTACT
OPIE is discussed on the Bellcore "S/Key Users" mailing list. To join,
send an email request to:
.sp
skey-users-request@thumper.bellcore.com

442
contrib/opie/opiepasswd.c
View File

@ -1,442 +0,0 @@
/* opiepasswd.c: Add/change an OTP password in the key database.
%%% portions-copyright-cmetz-96
Portions of this software are Copyright 1996-1999 by Craig Metz, All Rights
Reserved. The Inner Net License Version 2 applies to these portions of
the software.
You should have received a copy of the license with this software. If
you didn't get a copy, you may request one from <license@inner.net>.
Portions of this software are Copyright 1995 by Randall Atkinson and Dan
McDonald, All Rights Reserved. All Rights under this copyright are assigned
to the U.S. Naval Research Laboratory (NRL). The NRL Copyright Notice and
License Agreement applies to this software.
History:
Modified by cmetz for OPIE 2.4. Use struct opie_key for key blocks.
Use opiestrncpy().
Modified by cmetz for OPIE 2.32. Use OPIE_SEED_MAX instead of
hard coding the length. Unlock user on failed lookup.
Modified by cmetz for OPIE 2.3. Got of some variables and made some
local to where they're used. Split out the finishing code. Use
opielookup() instead of opiechallenge() to find user. Three
strikes on prompts. Use opiepasswd()'s new calling
convention. Changed OPIE_PASS_{MAX,MIN} to
OPIE_SECRET_{MAX,MIN}. Handle automatic reinits happenning
below us. Got rid of unneeded headers. Use new opieatob8()
return value convention. Added -f flag. Added SHA support.
Modified by cmetz for OPIE 2.22. Finally got rid of the lock
filename kluge by implementing refcounts for locks.
Use opiepasswd() to update key file. Error if we can't
write to the key file. Check for minimum seed length.
Modified at NRL for OPIE 2.2. Changed opiestrip_crlf to
opiestripcrlf. Check opiereadpass() return value.
Minor optimization. Change calls to opiereadpass() to
use echo arg. Use opiereadpass() where we can.
Make everything static. Ifdef around some headers.
Changed use of gethostname() to uname(). Got rid of
the need for buf[]. Properly check return value of
opieatob8. Check seed length. Always generate proper-
length seeds.
Modified at NRL for OPIE 2.1. Minor autoconf changes.
Modified heavily at NRL for OPIE 2.0.
Written at Bellcore for the S/Key Version 1 software distribution
(skeyinit.c).
$FreeBSD$
*/
#include "opie_cfg.h"
#if HAVE_PWD_H
#include <pwd.h>
#endif /* HAVE_PWD_H */
#include <stdio.h>
#if HAVE_STRING_H
#include <string.h>
#endif /* HAVE_STRING_H */
#include <stdio.h>
#include <sys/types.h>
#if HAVE_UNISTD_H
#include <unistd.h>
#endif /* HAVE_UNISTD_H */
#if HAVE_STDLIB_H
#include <stdlib.h>
#endif /* HAVE_STDLIB_H */
#include "opie.h"
#define MODE_DEFAULT 0
#define MODE_CONSOLE 1
#define MODE_DISABLE 2
extern int optind;
extern char *optarg;
char *algnames[] = { NULL, NULL, NULL, "SHA-1", "MD4", "MD5" };
char *algids[] = { NULL, NULL, NULL, "sha1", "md4", "md5" };
static VOIDRET usage FUNCTION((myname), char *myname)
{
fprintf(stderr, "usage: %s [-v] [-h] [-c|-d] [-f] [-n initial_sequence_number]\n [-s seed] [username]\n", myname);
exit(1);
}
static VOIDRET finish FUNCTION((name), char *name)
{
struct opie opie;
char buf[OPIE_RESPONSE_MAX + 1];
if (name) {
if (opiechallenge(&opie, name, buf)) {
fprintf(stderr, "Error verifying database.\n");
finish(NULL);
}
printf("\nID %s ", opie.opie_principal);
if (opie.opie_val && (opie.opie_val[0] == '*')) {
printf("is disabled.\n");
finish(NULL);
}
printf("OTP key is %d %s\n", opie.opie_n, opie.opie_seed);
{
struct opie_otpkey key;
if (!opieatob8(&key, opie.opie_val)) {
fprintf(stderr, "Error verifying key -- possible database corruption.\n");
finish(NULL);
}
printf("%s\n", opiebtoe(buf, &key));
}
}
while(!opieunlock());
exit(name ? 0 : 1);
}
int main FUNCTION((argc, argv), int argc AND char *argv[])
{
struct opie opie;
int rval, n = 499, i, mode = MODE_DEFAULT, force = 0;
char seed[OPIE_SEED_MAX+1];
char *username;
uid_t ruid;
struct passwd *pp;
memset(seed, 0, sizeof(seed));
ruid = getuid();
username = getlogin();
pp = getpwnam(username);
if (username == NULL || pp == NULL || pp->pw_uid != ruid)
pp = getpwuid(ruid);
if (pp == NULL) {
fprintf(stderr, "Who are you?");
return 1;
}
while ((i = getopt(argc, argv, "fhvcn:s:d")) != EOF) {
switch (i) {
case 'v':
opieversion();
case 'f':
#if INSECURE_OVERRIDE
force = OPIEPASSWD_FORCE;
#else /* INSECURE_OVERRIDE */
fprintf(stderr, "Sorry, but the -f option is not supported by this build of OPIE.\n");
#endif /* INSECURE_OVERRIDE */
break;
case 'c':
mode = MODE_CONSOLE;
break;
case 'd':
mode = MODE_DISABLE;
break;
case 'n':
i = atoi(optarg);
if (!(i > 0 && i < 10000)) {
printf("Sequence numbers must be > 0 and < 10000\n");
finish(NULL);
}
n = i;
break;
case 's':
i = strlen(optarg);
if ((i > OPIE_SEED_MAX) || (i < OPIE_SEED_MIN)) {
printf("Seeds must be between %d and %d characters long.\n",
OPIE_SEED_MIN, OPIE_SEED_MAX);
finish(NULL);
}
opiestrncpy(seed, optarg, sizeof(seed));
break;
default:
usage(argv[0]);
}
}
if (argc - optind >= 1) {
if (strcmp(argv[optind], pp->pw_name)) {
if (getuid()) {
printf("Only root can change others' passwords.\n");
exit(1);
}
if ((pp = getpwnam(argv[optind])) == NULL) {
printf("%s: user unknown.\n", argv[optind]);
exit(1);
}
}
}
opielock(pp->pw_name);
rval = opielookup(&opie, pp->pw_name);
switch (rval) {
case 0:
printf("Updating %s:\n", pp->pw_name);
break;
case 1:
printf("Adding %s:\n", pp->pw_name);
break;
case 2:
fprintf(stderr, "Error: Can't update key database.\n");
finish(NULL);
default:
fprintf(stderr, "Error reading key database\n");
finish(NULL);
}
if (seed[0]) {
i = strlen(seed);
if (i > OPIE_SEED_MAX) {
fprintf(stderr, "Seeds must be less than %d characters long.", OPIE_SEED_MAX);
finish(NULL);
}
if (i < OPIE_SEED_MIN) {
fprintf(stderr, "Seeds must be greater than %d characters long.", OPIE_SEED_MIN);
finish(NULL);
}
} else {
if (!rval)
strcpy(seed, opie.opie_seed);
if (opienewseed(seed) < 0) {
fprintf(stderr, "Error updating seed.\n");
finish(NULL);
}
}
if (opie.opie_seed && opie.opie_seed[0] && !strcmp(opie.opie_seed, seed)) {
fprintf(stderr, "You must use a different seed for the new OTP sequence.\n");
finish(NULL);
}
switch(mode) {
case MODE_DEFAULT:
{
char tmp[OPIE_RESPONSE_MAX + 2];
printf("You need the response from an OTP generator.\n");
#if DEBUG
if (!rval) {
#else /* DEBUG */
if (!rval && getuid()) {
#endif /* DEBUG */
char oseed[OPIE_SEED_MAX + 1];
int on;
if (opiechallenge(&opie, pp->pw_name, tmp)) {
fprintf(stderr, "Error issuing challenge.\n");
finish(NULL);
}
on = opiegetsequence(&opie);
{
char *c;
if (c = strrchr(tmp, ' '))
opiestrncpy(oseed, c + 1, sizeof(oseed));
else {
#if DEBUG
fprintf(stderr, "opiepasswd: bogus challenge\n");
#endif /* DEBUG */
finish(NULL);
}
}
printf("Old secret pass phrase:\n\t%s\n\tResponse: ", tmp);
if (!opiereadpass(tmp, sizeof(tmp), 1))
tmp[0] = 0;
i = opieverify(&opie, tmp);
if (!tmp[0]) {
fprintf(stderr, "Error reading response.\n");
finish(NULL);
}
if (i) {
fprintf(stderr, "Error verifying response.\n");
#if DEBUG
fprintf(stderr, "opiepasswd: opieverify() returned %d\n", i);
#endif /* DEBUG */
finish(NULL);
}
{
char nseed[OPIE_SEED_MAX + 1];
int nn;
if (opiechallenge(&opie, pp->pw_name, tmp)) {
fprintf(stderr, "Error verifying database.\n");
finish(NULL);
}
nn = opiegetsequence(&opie);
{
char *c;
if (c = strrchr(tmp, ' '))
opiestrncpy(nseed, c + 1, sizeof(nseed));
else {
#if DEBUG
fprintf(stderr, "opiepasswd: bogus challenge\n");
#endif /* DEBUG */
finish(NULL);
}
}
opieverify(&opie, "");
nn++;
if ((nn != on) || strcmp(oseed, nseed))
finish(pp->pw_name);
}
}
printf("New secret pass phrase:");
for (i = 0;; i++) {
if (i > 2)
finish(NULL);
printf("\n\totp-%s %d %s\n\tResponse: ", algids[MDX], n, seed);
if (!opiereadpass(tmp, sizeof(tmp), 1)) {
fprintf(stderr, "Error reading response.\n");
finish(NULL);
}
if (tmp[0] == '?') {
printf("Enter the response from your OTP calculator: \n");
continue;
}
if (tmp[0] == '\0') {
fprintf(stderr, "Secret pass phrase unchanged.\n");
finish(NULL);
}
if (!(rval = opiepasswd(&opie, force, pp->pw_name, n, seed, tmp)))
finish(pp->pw_name);
if (rval < 0) {
fprintf(stderr, "Error updating key database.\n");
finish(NULL);
}
printf("\tThat is not a valid OTP response.\n");
}
}
break;
case MODE_CONSOLE:
{
char passwd[OPIE_SECRET_MAX + 1], passwd2[OPIE_SECRET_MAX + 1];
/* Get user's secret password */
fprintf(stderr, "Only use this method from the console; NEVER from remote. If you are using\n");
fprintf(stderr, "telnet, xterm, or a dial-in, type ^C now or exit with no password.\n");
fprintf(stderr, "Then run opiepasswd without the -c parameter.\n");
if (opieinsecure() && !force) {
fprintf(stderr, "Sorry, but you don't seem to be on the console or a secure terminal.\n");
if (force)
fprintf(stderr, "Warning: Continuing could disclose your secret pass phrase to an attacker!\n");
else
finish(NULL);
};
printf("Using %s to compute responses.\n", algnames[MDX]);
if (!rval && getuid()) {
printf("Enter old secret pass phrase: ");
if (!opiereadpass(passwd, sizeof(passwd), 0)) {
fprintf(stderr, "Error reading secret pass phrase!\n");
finish(NULL);
}
if (!passwd[0]) {
fprintf(stderr, "Secret pass phrase unchanged.\n");
finish(NULL);
}
{
struct opie_otpkey key;
char tbuf[OPIE_RESPONSE_MAX + 1];
if (opiekeycrunch(MDX, &key, opie.opie_seed, passwd) != 0) {
fprintf(stderr, "%s: key crunch failed. Secret pass phrase unchanged\n", argv[0]);
finish(NULL);
}
memset(passwd, 0, sizeof(passwd));
i = opie.opie_n - 1;
while (i-- != 0)
opiehash(&key, MDX);
opiebtoe(tbuf, &key);
if (opieverify(&opie, tbuf)) {
fprintf(stderr, "Sorry.\n");
finish(NULL);
}
}
}
for (i = 0;; i++) {
if (i > 2)
finish(NULL);
printf("Enter new secret pass phrase: ");
if (!opiereadpass(passwd, sizeof(passwd), 0)) {
fprintf(stderr, "Error reading secret pass phrase.\n");
finish(NULL);
}
if (!passwd[0] || feof(stdin)) {
fprintf(stderr, "Secret pass phrase unchanged.\n");
finish(NULL);
}
if (opiepasscheck(passwd)) {
memset(passwd, 0, sizeof(passwd));
fprintf(stderr, "Secret pass phrases must be between %d and %d characters long.\n", OPIE_SECRET_MIN, OPIE_SECRET_MAX);
continue;
}
printf("Again new secret pass phrase: ");
if (!opiereadpass(passwd2, sizeof(passwd2), 0)) {
fprintf(stderr, "Error reading secret pass phrase.\n");
finish(NULL);
}
if (feof(stdin)) {
fprintf(stderr, "Secret pass phrase unchanged.\n");
finish(NULL);
}
if (!passwd[0] || !strcmp(passwd, passwd2))
break;
fprintf(stderr, "Sorry, no match.\n");
}
memset(passwd2, 0, sizeof(passwd2));
if (opiepasswd(&opie, 1 | force, pp->pw_name, n, seed, passwd)) {
fprintf(stderr, "Error updating key database.\n");
finish(NULL);
}
finish(pp->pw_name);
}
case MODE_DISABLE:
{
char tmp[4];
int i;
for (i = 0;; i++) {
if (i > 2)
finish(NULL);
printf("Disable %s's OTP access? (yes or no) ", pp->pw_name);
if (!opiereadpass(tmp, sizeof(tmp), 1)) {
fprintf(stderr, "Error reading entry.\n");
finish(NULL);
}
if (!strcmp(tmp, "no"))
finish(NULL);
if (!strcmp(tmp, "yes")) {
if (opiepasswd(&opie, 0, pp->pw_name, n, seed, NULL)) {
fprintf(stderr, "Error updating key database.\n");
finish(NULL);
}
finish(pp->pw_name);
}
}
}
}
}

82
contrib/opie/opieserv.1
View File

@ -1,82 +0,0 @@
.\" opieserv.1: Manual page for the opieserv(1) program.
.\"
.\" %%% portions-copyright-cmetz-96
.\" Portions of this software are Copyright 1996-1999 by Craig Metz, All Rights
.\" Reserved. The Inner Net License Version 2 applies to these portions of
.\" the software.
.\" You should have received a copy of the license with this software. If
.\" you didn't get a copy, you may request one from <license@inner.net>.
.\"
.\" Portions of this software are Copyright 1995 by Randall Atkinson and Dan
.\" McDonald, All Rights Reserved. All Rights under this copyright are assigned
.\" to the U.S. Naval Research Laboratory (NRL). The NRL Copyright Notice and
.\" License Agreement applies to this software.
.\"
.\" History:
.\"
.\" Created by cmetz for OPIE 2.2 from opiegen.1.
.\"
.ll 6i
.pl 10.5i
.lt 6.0i
.TH OPIEKEY 1 "February 20, 1996"
.AT 3
.SH NAME
opieserv \- Example OPIE-based OTP server
.SH SYNOPSIS
.B opieserv
.sp 0
[
.I principal
]
.sp 0
.SH DESCRIPTION
.I opieserv
takes an OTP principal (e.g., a user name) from either the command line or
standard input and returns a current OTP challenge for that principal. It then
reads an OTP response to that challenge from standard input and displays a
message and returns a value to indicate either success (exit value = 0) or
failure (exit value = 1). It is intended as an example for programmers
of how a simple OTP server can be built.
.SH EXAMPLE
.sp 0
wintermute$ opieserv kebe
.sp 0
otp-md5 495 wi01309
.sp 0
Response:
.sp 0
User verified.
.sp 0
wintermute$
.LP
.SH SEE ALSO
.BR opiegen (1),
.BR opiekey (1),
.BR opie (4),
.BR opiepasswd (1),
.BR opieinfo (1),
.BR opiesu (1),
.BR opielogin (1),
.BR opieftpd (8),
.BR opiekeys (5),
.BR opieaccess (5)
.SH AUTHOR
The opieserv1) program was created by Craig Metz for OPIE 2.2.
Bellcore's S/Key was written by Phil Karn, Neil M. Haller, and John S. Walden
of Bellcore. OPIE was created at NRL by Randall Atkinson, Dan McDonald, and
Craig Metz.
S/Key is a trademark of Bell Communications Research (Bellcore).
.SH CONTACT
OPIE is discussed on the Bellcore "S/Key Users" mailing list. To join,
send an email request to:
.sp
skey-users-request@thumper.bellcore.com

83
contrib/opie/opieserv.c
View File

@ -1,83 +0,0 @@
/* opieserv.c: Sample OTP server based on the opiechallenge() and
opieverify() library routines.
%%% copyright-cmetz-96
This software is Copyright 1996-2001 by Craig Metz, All Rights Reserved.
The Inner Net License Version 3 applies to this software.
You should have received a copy of the license with this software. If
you didn't get a copy, you may request one from <license@inner.net>.
History:
Modified by cmetz for OPIE 2.3. Send debug info to syslog.
Created by cmetz for OPIE 2.2.
*/
#include "opie_cfg.h"
#include <stdio.h>
#if DEBUG
#include <syslog.h>
#endif /* DEBUG */
#include "opie.h"
int main FUNCTION((argc, argv), int argc AND char *argv[])
{
struct opie opie;
char *principal;
char buffer[1024];
char challenge[OPIE_CHALLENGE_MAX+1];
char response[OPIE_RESPONSE_MAX+1];
int result;
if (argc <= 1) {
fputs("Principal: ", stderr);
if (!opiereadpass(buffer, sizeof(buffer)-1, 1))
fprintf(stderr, "Error reading principal!");
principal = buffer;
} else {
principal = argv[1];
}
#if DEBUG
syslog(LOG_DEBUG, "Principal is +%s+", principal);
#endif /* DEBUG */
switch (result = opiechallenge(&opie, principal, challenge)) {
case -1:
fputs("System error!\n", stderr);
exit(1);
case 0:
break;
case 1:
fputs("User not found!\n", stderr);
exit(1);
case 2:
fputs("System error!\n", stderr);
exit(1);
default:
fprintf(stderr, "Unknown error %d!\n", result);
exit(1);
};
fputs(challenge, stdout);
fputc('\n', stdout);
fflush(stdout);
fputs("Response: ", stderr);
if (!opiereadpass(response, OPIE_RESPONSE_MAX, 1)) {
fputs("Error reading response!\n", stderr);
exit(1);
};
switch (result = opieverify(&opie, response)) {
case -1:
fputs("System error!\n", stderr);
exit(1);
case 0:
fputs("User verified.\n", stderr);
exit(0);
case 1:
fputs("Verify failed!\n", stderr);
exit(1);
default:
fprintf(stderr, "Unknown error %d!\n", result);
exit(1);
}
}

101
contrib/opie/opiesu.1
View File

@ -1,101 +0,0 @@
.\" opiesu.c: Manual page for the opiesu(1) program.
.\"
.\" %%% portions-copyright-cmetz-96
.\" Portions of this software are Copyright 1996-1999 by Craig Metz, All Rights
.\" Reserved. The Inner Net License Version 2 applies to these portions of
.\" the software.
.\" You should have received a copy of the license with this software. If
.\" you didn't get a copy, you may request one from <license@inner.net>.
.\"
.\" Portions of this software are Copyright 1995 by Randall Atkinson and Dan
.\" McDonald, All Rights Reserved. All Rights under this copyright are assigned
.\" to the U.S. Naval Research Laboratory (NRL). The NRL Copyright Notice and
.\" License Agreement applies to this software.
.\"
.\" History:
.\"
.\" Modified by cmetz for OPIE 2.3. Removed statement that opiesu will
.\" only accept OTP responses.
.\" Modified by cmetz for OPIE 2.2. Removed MJR DES documentation.
.\" Modified at NRL for OPIE 2.0.
.\" Documentation for the "-f" option from BSD.
.\" Written at Bellcore for the S/Key Version 1 software distribution
.\" (keysu.1).
.\"
.ll 6i
.pl 10.5i
.lt 6.0i
.TH OPIESU 1 "January 10, 1995"
.AT 3
.SH NAME
opiesu \- Replacement su(1) program that uses OPIE challenges
.SH SYNOPSIS
.B opiesu
[ \-f ] [ \-c ] [
.I user_name
]
.SH DESCRIPTION
.I opiesu
is a replacement for the su(1) program that issues OPIE challenges and
uses OPIE responses. It is downward compatible with keysu(1) from the
Bellcore S/Key Version 1 distribution and the su(1) program from the 4.3BSD
Net/2 distribution.
.SH OPTIONS
.TP
.B \-f
If the invoked shell is csh(1), this option prevents it from
reading the ``.cshrc'' file. (The [f] option may be passed as a
shell argument after the login name, so this option is redundant
and obsolescent.)
.TP
.B \-c
Set console mode where the user is expected to have secure access to the
system. In console mode, you will be asked to input your password directly
instead of having to use an OPIE calculator. If you do not have secure access
to the system (i.e., you are not on the system's console), you are
volunteering your password to attackers by using this mode.
.TP
.I user_name
The name of the user to become.
The default is root.
.SH EXAMPLE
.sp 0
wintermute$ opiesu kebe
.sp 0
otp-md5 498 wi910502
.sp 0
(OTP response required)
.sp 0
kebe's password: (echo on)
.sp 0
kebe's password: RARE GLEN HUGH BOYD NECK MOLL
.sp 0
wintermute#
.LP
.SH FILES
.TP
/etc/opiekeys database of information for OPIE system.
.LP
.SH SEE ALSO
.BR su (1),
.BR opie (4),
.BR opiekey (1),
.BR opieinfo (1),
.BR opiesu (1),
.BR opielogin (1),
.BR opieftpd (8),
.BR opiekeys (5),
.BR opieaccess (5)
.SH AUTHOR
Bellcore's S/Key was written by Phil Karn, Neil M. Haller, and John S. Walden
of Bellcore. OPIE was created at NRL by Randall Atkinson, Dan McDonald, and
Craig Metz.
S/Key is a trademark of Bell Communications Research (Bellcore).
.SH CONTACT
OPIE is discussed on the Bellcore "S/Key Users" mailing list. To join,
send an email request to:
.sp
skey-users-request@thumper.bellcore.com

512
contrib/opie/opiesu.c
View File

@ -1,512 +0,0 @@
/* opiesu.c: main body of code for the su(1m) program
%%% portions-copyright-cmetz-96
Portions of this software are Copyright 1996-1999 by Craig Metz, All Rights
Reserved. The Inner Net License Version 2 applies to these portions of
the software.
You should have received a copy of the license with this software. If
you didn't get a copy, you may request one from <license@inner.net>.
Portions of this software are Copyright 1995 by Randall Atkinson and Dan
McDonald, All Rights Reserved. All Rights under this copyright are assigned
to the U.S. Naval Research Laboratory (NRL). The NRL Copyright Notice and
License Agreement applies to this software.
History:
Modified by cmetz for OPIE 2.4. Check euid on startup. Use
opiestrncpy().
Modified by cmetz for OPIE 2.32. Set up TERM and PATH correctly.
Modified by cmetz for OPIE 2.31. Fix sulog(). Replaced Getlogin() with
currentuser. Fixed fencepost error in month printed by sulog().
Modified by cmetz for OPIE 2.3. Limit the length of TERM on full login.
Use HAVE_SULOG instead of DOSULOG.
Modified by cmetz for OPIE 2.2. Don't try to clear non-blocking I/O.
Use opiereadpass(). Minor speedup. Removed termios manipulation
-- that's opiereadpass()'s job. Change opiereadpass() calls
to add echo arg. Removed useless strings (I don't think that
removing the ucb copyright one is a problem -- please let me
know if I'm wrong). Use FUNCTION declaration et al. Ifdef
around some headers. Make everything static. Removed
closelog() prototype. Use the same catchexit() trickery as
opielogin.
Modified at NRL for OPIE 2.2. Changed opiestrip_crlf to
opiestripcrlf.
Modified at NRL for OPIE 2.1. Added struct group declaration.
Added Solaris(+others?) sulog capability. Symbol changes
for autoconf. Removed des_crypt.h. File renamed to
opiesu.c. Symbol+misc changes for autoconf. Added bletch
for setpriority.
Modified at NRL for OPIE 2.02. Added SU_STAR_CHECK (turning a bug
into a feature ;). Fixed Solaris shadow password problem
introduced in OPIE 2.01 (the shadow password structure is
spwd, not spasswd).
Modified at NRL for OPIE 2.01. Changed password lookup handling
to use a static structure to avoid problems with drain-
bamaged shadow password packages. Always log failures.
Make sure to close syslog by function to avoid problems
with drain bamaged syslog implementations. Log a few
interesting errors.
Modified at NRL for OPIE 2.0.
Modified at Bellcore for the S/Key Version 1 software distribution.
Originally from BSD.
*/
/*
* Copyright (c) 1980 Regents of the University of California.
* All rights reserved. The Berkeley software License Agreement
* specifies the terms and conditions for redistribution.
*/
#include "opie_cfg.h"
#include <stdio.h>
#if HAVE_PWD_H
#include <pwd.h>
#endif /* HAVE_PWD_H */
#include <grp.h>
#include <syslog.h>
#include <sys/types.h>
#if HAVE_SETPRIORITY && HAVE_SYS_RESOURCE_H
#if TIME_WITH_SYS_TIME
# include <sys/time.h>
# include <time.h>
#else /* TIME_WITH_SYS_TIME */
#if HAVE_SYS_TIME_H
#include <sys/time.h>
#else /* HAVE_SYS_TIME_H */
#include <time.h>
#endif /* HAVE_SYS_TIME_H */
#endif /* TIME_WITH_SYS_TIME */
#include <sys/resource.h>
#else /* HAVE_SETPRIORITY && HAVE_SYS_RESOURCE_H */
#if TM_IN_SYS_TIME
#include <sys/time.h>
#else /* TM_IN_SYS_TIME */
#include <time.h>
#endif /* TM_IN_SYS_TIME */
#endif /* HAVE_SETPRIORITY && HAVE_SYS_RESOURCE_H */
#if HAVE_STDLIB_H
#include <stdlib.h>
#endif /* HAVE_STDLIB_H */
#if HAVE_UNISTD_H
#include <unistd.h>
#endif /* HAVE_UNISTD_H */
#if HAVE_STRING_H
#include <string.h>
#endif /* HAVE_STRING_H */
#include <errno.h>
#include "opie.h"
static char userbuf[16] = "USER=";
static char homebuf[128] = "HOME=";
static char shellbuf[128] = "SHELL=";
static char pathbuf[sizeof("PATH") + sizeof(DEFAULT_PATH) - 1] = "PATH=";
static char termbuf[32] = "TERM=";
static char *cleanenv[] = {userbuf, homebuf, shellbuf, pathbuf, 0, 0};
static char *user = "root";
static char *shell = "/bin/sh";
static int fulllogin;
#if 0
static int fastlogin;
#else /* 0 */
static int force = 0;
#endif /* 0 */
static char currentuser[65];
extern char **environ;
static struct passwd thisuser, nouser;
#if HAVE_SHADOW_H
#include <shadow.h>
#endif /* HAVE_SHADOW_H */
#if HAVE_CRYPT_H
#include <crypt.h>
#endif /* HAVE_CRYPT_H */
static VOIDRET catchexit FUNCTION_NOARGS
{
int i;
closelog();
for (i = sysconf(_SC_OPEN_MAX); i > 2; i--)
close(i);
}
/* We allow the malloc()s to potentially leak data out because we can
only call this routine about four times in the lifetime of this process
and the kernel will free all heap memory when we exit or exec. */
static int lookupuser FUNCTION((name), char *name)
{
struct passwd *pwd;
#if HAVE_SHADOW
struct spwd *spwd;
#endif /* HAVE_SHADOW */
memcpy(&thisuser, &nouser, sizeof(thisuser));
if (!(pwd = getpwnam(name)))
return -1;
thisuser.pw_uid = pwd->pw_uid;
thisuser.pw_gid = pwd->pw_gid;
if (!(thisuser.pw_name = malloc(strlen(pwd->pw_name) + 1)))
goto lookupuserbad;
strcpy(thisuser.pw_name, pwd->pw_name);
if (!(thisuser.pw_dir = malloc(strlen(pwd->pw_dir) + 1)))
goto lookupuserbad;
strcpy(thisuser.pw_dir, pwd->pw_dir);
if (!(thisuser.pw_shell = malloc(strlen(pwd->pw_shell) + 1)))
goto lookupuserbad;
strcpy(thisuser.pw_shell, pwd->pw_shell);
#if HAVE_SHADOW
if (!(spwd = getspnam(name)))
goto lookupuserbad;
pwd->pw_passwd = spwd->sp_pwdp;
endspent();
#endif /* HAVE_SHADOW */
if (!(thisuser.pw_passwd = malloc(strlen(pwd->pw_passwd) + 1)))
goto lookupuserbad;
strcpy(thisuser.pw_passwd, pwd->pw_passwd);
endpwent();
#if SU_STAR_CHECK
return ((thisuser.pw_passwd[0] == '*') || (thisuser.pw_passwd[0] == '#'));
#else /* SU_STAR_CHECK */
return 0;
#endif /* SU_STAR_CHECK */
lookupuserbad:
memcpy(&thisuser, &nouser, sizeof(thisuser));
return -1;
}
static VOIDRET lsetenv FUNCTION((ename, eval, buf), char *ename AND char *eval AND char *buf)
{
register char *cp, *dp;
register char **ep = environ;
/* this assumes an environment variable "ename" already exists */
while (dp = *ep++) {
for (cp = ename; *cp == *dp && *cp; cp++, dp++)
continue;
if (*cp == 0 && (*dp == '=' || *dp == 0)) {
strcat(buf, eval);
*--ep = buf;
return;
}
}
}
#if HAVE_SULOG
static int sulog FUNCTION((status, who), int status AND char *who)
{
char *from;
char *ttynam;
struct tm *tm;
FILE *f;
time_t now;
if (who)
from = who;
else
from = currentuser;
if (!strncmp(ttynam = ttyname(2), "/dev/", 5))
ttynam += 5;
now = time(NULL);
tm = localtime(&now);
if (!(f = fopen("/var/adm/sulog", "a"))) {
fprintf(stderr, "Can't update su log!\n");
exit(1);
}
fprintf(f, "SU %02d/%02d %02d:%02d %c %s %s-%s\n",
tm->tm_mon + 1, tm->tm_mday, tm->tm_hour, tm->tm_min,
status ? '+' : '-', ttynam, from, user);
fclose(f);
}
#endif /* HAVE_SULOG */
int main FUNCTION((argc, argv), int argc AND char *argv[])
{
char *p;
struct opie opie;
int i;
char pbuf[256];
char opieprompt[80];
int console = 0;
char *argvbuf;
for (i = sysconf(_SC_OPEN_MAX); i > 2; i--)
close(i);
openlog("su", LOG_ODELAY, LOG_AUTH);
atexit(catchexit);
{
int argvsize = 0;
for (i = 0; i < argc; argvsize += strlen(argv[i++]));
argvsize += argc;
if (!(argvbuf = malloc(argvsize))) {
syslog(LOG_ERR, "can't allocate memory to store command line");
exit(1);
};
for (i = 0, *argvbuf = 0; i < argc;) {
strcat(argvbuf, argv[i]);
if (++i < argc)
strcat(argvbuf, " ");
};
};
strcat(pathbuf, DEFAULT_PATH);
again:
if (argc > 1 && strcmp(argv[1], "-f") == 0) {
#if 0
fastlogin++;
#else /* 0 */
#if INSECURE_OVERRIDE
force = 1;
#else /* INSECURE_OVERRIDE */
fprintf(stderr, "Sorry, but the -f option is not supported by this build of OPIE.\n");
#endif /* INSECURE_OVERRIDE */
#endif /* 0 */
argc--, argv++;
goto again;
}
if (argc > 1 && strcmp(argv[1], "-c") == 0) {
console++;
argc--, argv++;
goto again;
}
if (argc > 1 && strcmp(argv[1], "-") == 0) {
fulllogin++;
argc--;
argv++;
goto again;
}
if (argc > 1 && argv[1][0] != '-') {
user = argv[1];
argc--;
argv++;
}
{
struct passwd *pwd;
char *p = getlogin();
char buf[32];
if ((pwd = getpwuid(getuid())) == NULL) {
syslog(LOG_CRIT, "'%s' failed for unknown uid %d on %s", argvbuf, getuid(), ttyname(2));
#if HAVE_SULOG
sulog(0, "unknown");
#endif /* HAVE_SULOG */
exit(1);
}
opiestrncpy(buf, pwd->pw_name, sizeof(buf));
if (!p)
p = "unknown";
opiestrncpy(currentuser, p, 31);
if (p && *p && strcmp(currentuser, buf)) {
strcat(currentuser, "(");
strcat(currentuser, buf);
strcat(currentuser, ")");
};
if (lookupuser(user)) {
syslog(LOG_CRIT, "'%s' failed for %s on %s", argvbuf, currentuser, ttyname(2));
#if HAVE_SULOG
sulog(0, NULL);
#endif /* HAVE_SULOG */
fprintf(stderr, "Unknown user: %s\n", user);
exit(1);
}
if (geteuid()) {
syslog(LOG_CRIT, "'%s' failed for %s on %s: not running with superuser priveleges", argvbuf, currentuser, ttyname(2));
#if HAVE_SULOG
sulog(0, NULL);
#endif /* HAVE_SULOG */
fprintf(stderr, "You do not have permission to su %s\n", user);
exit(1);
};
/* Implement the BSD "wheel group" su restriction. */
#if DOWHEEL
/* Only allow those in group zero to su to root? */
if (thisuser.pw_uid == 0) {
struct group *gr;
if ((gr = getgrgid(0)) != NULL) {
for (i = 0; gr->gr_mem[i] != NULL; i++)
if (strcmp(buf, gr->gr_mem[i]) == 0)
goto userok;
fprintf(stderr, "You do not have permission to su %s\n", user);
exit(1);
}
userok:
;
#if HAVE_SETPRIORITY && HAVE_SYS_RESOURCE_H
setpriority(PRIO_PROCESS, 0, -2);
#endif /* HAVE_SETPRIORITY && HAVE_SYS_RESOURCE_H */
}
#endif /* DOWHEEL */
};
if (!thisuser.pw_passwd[0] || getuid() == 0)
goto ok;
if (console) {
if (!opiealways(thisuser.pw_dir)) {
fprintf(stderr, "That account requires OTP responses.\n");
exit(1);
};
/* Get user's secret password */
fprintf(stderr, "Reminder - Only use this method from the console; NEVER from remote. If you\n");
fprintf(stderr, "are using telnet, xterm, or a dial-in, type ^C now or exit with no password.\n");
fprintf(stderr, "Then run su without the -c parameter.\n");
if (opieinsecure()) {
fprintf(stderr, "Sorry, but you don't seem to be on the console or a secure terminal.\n");
#if INSECURE_OVERRIDE
if (force)
fprintf(stderr, "Warning: Continuing could disclose your secret pass phrase to an attacker!\n");
else
#endif /* INSECURE_OVERRIDE */
exit(1);
};
#if NEW_PROMPTS
printf("%s's system password: ", thisuser.pw_name);
if (!opiereadpass(pbuf, sizeof(pbuf), 0))
goto error;
#endif /* NEW_PROMPTS */
} else {
/* Attempt an OTP challenge */
i = opiechallenge(&opie, user, opieprompt);
printf("%s\n", opieprompt);
#if NEW_PROMPTS
printf("%s's response: ", thisuser.pw_name);
if (!opiereadpass(pbuf, sizeof(pbuf), 1))
goto error;
#else /* NEW_PROMPTS */
printf("(OTP response required)\n");
#endif /* NEW_PROMPTS */
fflush(stdout);
};
#if !NEW_PROMPTS
printf("%s's password: ", thisuser.pw_name);
if (!opiereadpass(pbuf, sizeof(pbuf), 0))
goto error;
#endif /* !NEW_PROMPTS */
#if !NEW_PROMPTS
if (!pbuf[0] && !console) {
/* Null line entered; turn echoing back on and read again */
printf(" (echo on)\n%s's password: ", thisuser.pw_name);
if (!opiereadpass(pbuf, sizeof(pbuf), 1))
goto error;
}
#endif /* !NEW_PROMPTS */
if (console) {
/* Try regular password check, if allowed */
if (!strcmp(crypt(pbuf, thisuser.pw_passwd), thisuser.pw_passwd))
goto ok;
} else {
int i = opiegetsequence(&opie);
if (!opieverify(&opie, pbuf)) {
/* OPIE authentication succeeded */
if (i < 5)
fprintf(stderr, "Warning: Change %s's OTP secret pass phrase NOW!\n", user);
else
if (i < 10)
fprintf(stderr, "Warning: Change %s's OTP secret pass phrase soon.\n", user);
goto ok;
};
};
error:
if (!console)
opieverify(&opie, "");
fprintf(stderr, "Sorry\n");
syslog(LOG_CRIT, "'%s' failed for %s on %s", argvbuf, currentuser, ttyname(2));
#if HAVE_SULOG
sulog(0, NULL);
#endif /* HAVE_SULOG */
exit(2);
ok:
syslog(LOG_NOTICE, "'%s' by %s on %s", argvbuf, currentuser, ttyname(2));
#if HAVE_SULOG
sulog(1, NULL);
#endif /* HAVE_SULOG */
if (setgid(thisuser.pw_gid) < 0) {
perror("su: setgid");
exit(3);
}
if (initgroups(user, thisuser.pw_gid)) {
fprintf(stderr, "su: initgroups failed (errno=%d)\n", errno);
exit(4);
}
if (setuid(thisuser.pw_uid) < 0) {
perror("su: setuid");
exit(5);
}
if (thisuser.pw_shell && *thisuser.pw_shell)
shell = thisuser.pw_shell;
if (fulllogin) {
if ((p = getenv("TERM")) && (strlen(termbuf) + strlen(p) - 1 < sizeof(termbuf))) {
strcat(termbuf, p);
cleanenv[4] = termbuf;
}
environ = cleanenv;
}
if (fulllogin || strcmp(user, "root") != 0)
lsetenv("USER", thisuser.pw_name, userbuf);
lsetenv("SHELL", shell, shellbuf);
lsetenv("HOME", thisuser.pw_dir, homebuf);
#if HAVE_SETPRIORITY && HAVE_SYS_RESOURCE_H
setpriority(PRIO_PROCESS, 0, 0);
#endif /* HAVE_SETPRIORITY && HAVE_SYS_RESOURCE_H */
#if 0
if (fastlogin) {
*argv-- = "-f";
*argv = "su";
} else
#endif /* 0 */
if (fulllogin) {
if (chdir(thisuser.pw_dir) < 0) {
fprintf(stderr, "No directory\n");
exit(6);
}
*argv = "-su";
} else {
*argv = "su";
}
catchexit();
#if DEBUG
syslog(LOG_DEBUG, "execing %s", shell);
#endif /* DEBUG */
execv(shell, argv);
fprintf(stderr, "No shell\n");
exit(7);
}

310
contrib/opie/opietest.c
View File

@ -1,310 +0,0 @@
/* opietest.c: Quick, though definitely not complete, regression test for
libopie. This is intended to catch two things:
(1) when changes break something
(2) if some system wierdness (libc, compiler, or CPU/hardware) is
not getting along at all with OPIE.
It's safe to say that, if tests fail, OPIE isn't going to work right
on your system. The converse is not such a safe statement.
%%% copyright-cmetz-96
This software is Copyright 1996-2001 by Craig Metz, All Rights Reserved.
The Inner Net License Version 3 applies to this software.
You should have received a copy of the license with this software. If
you didn't get a copy, you may request one from <license@inner.net>.
History:
Modified by cmetz for OPIE 2.4. Use struct opie_key for key blocks.
Modified by cmetz for OPIE 2.31. Added a couple of new checks,
removed a few commented-out checks for functions that
no longer exist, added test-skip capability.
Modified by cmetz for OPIE 2.3. Use new calling conventions for
opiebtoa8()/atob8(). opiegenerator() outputs hex now.
Modified by cmetz for OPIE 2.22. Test opielock()/opieunlock()
refcount support.
Created by cmetz for OPIE 2.2.
*/
#include "opie_cfg.h"
#include <stdio.h>
#include "opie.h"
char buffer[1024];
int testatob8()
{
static char testin[] = "0123456789abcdef";
static unsigned char testout[sizeof(struct opie_otpkey)] = { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef };
struct opie_otpkey key;
if (!opieatob8(&key, testin))
return -1;
if (memcmp(&key, testout, sizeof(testout)))
return -1;
return 0;
}
int testbtoa8()
{
static unsigned char testin[sizeof(struct opie_otpkey)] = { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef };
static char testout[] = "0123456789abcdef";
struct opie_otpkey testin_aligned;
memcpy(&testin_aligned, testin, sizeof(struct opie_otpkey));
if (!opiebtoa8(buffer, &testin_aligned))
return -1;
if (memcmp(buffer, testout, sizeof(testout)))
return -1;
return 0;
}
int testbtoe()
{
static unsigned char testin[sizeof(struct opie_otpkey)] = { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef };
static char testout[] = "AIM HEW BLUM FED MITE WARM";
struct opie_otpkey testin_aligned;
memcpy(&testin_aligned, testin, sizeof(struct opie_otpkey));
if (!opiebtoe(buffer, &testin_aligned))
return -1;
if (memcmp(buffer, testout, sizeof(testout)))
return -1;
return 0;
}
int testetob()
{
static char testin[] = "AIM HEW BLUM FED MITE WARM";
static unsigned char testout[sizeof(struct opie_otpkey)] = { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef };
struct opie_otpkey key;
if (opieetob(&key, testin) != 1)
return -1;
if (memcmp(&key, testout, sizeof(testout)))
return -1;
return 0;
}
int testgenerator()
{
static char testin1[] = "otp-md5 123 ke1234";
static char testin2[] = "this is a test";
/* static char testout[] = "END KERN BALM NICK EROS WAVY"; */
static char testout[] = "11D4 C147 E227 C1F1";
if (opiegenerator(testin1, testin2, buffer))
return -1;
if (memcmp(buffer, testout, sizeof(testout)))
return -1;
return 0;
}
int testgetsequence()
{
struct opie testin;
testin.opie_n = 42;
if (opiegetsequence(&testin) != 42)
return -1;
return 0;
}
int testhashmd4()
{
static unsigned char testin[sizeof(struct opie_otpkey)] = { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef };
static unsigned char testout[sizeof(struct opie_otpkey)] = { 0x9f, 0x40, 0xfb, 0x84, 0xb, 0xf8, 0x7f, 0x4b };
struct opie_otpkey testin_aligned;
memcpy(&testin_aligned, testin, sizeof(struct opie_otpkey));
opiehash(&testin_aligned, 4);
if (memcmp(&testin_aligned, testout, sizeof(struct opie_otpkey)))
return -1;
return 0;
}
int testhashmd5()
{
static unsigned char testin[] = { 0x01, 0x23, 0x45, 0x67, 0x89, 0xab, 0xcd, 0xef };
static unsigned char testout[] = { 0x78, 0xdd, 0x1a, 0x37, 0xf8, 0x91, 0x54, 0xe1 };
struct opie_otpkey testin_aligned;
memcpy(&testin_aligned, testin, sizeof(struct opie_otpkey));
opiehash(&testin_aligned, 5);
if (memcmp(&testin_aligned, testout, sizeof(struct opie_otpkey)))
return -1;
return 0;
}
int testinsecure()
{
opieinsecure();
return 0;
}
int testkeycrunch()
{
static char testin1[] = "ke1234";
static char testin2[] = "this is a test";
static unsigned char testout[sizeof(struct opie_otpkey)] = { 0x2e, 0xd3, 0x5d, 0x74, 0x3e, 0xa9, 0xe9, 0xe8 };
struct opie_otpkey opie_otpkey;
if (opiekeycrunch(5, &opie_otpkey, testin1, testin2))
return -1;
if (memcmp(&opie_otpkey, testout, sizeof(struct opie_otpkey)))
return -1;
return 0;
}
int testlock()
{
int i;
if (getuid())
return -2;
for (i = 0; i < 3; i++)
if (opielock("__opietest"))
return -1;
return 0;
}
int testpasscheck()
{
static char testin1[] = "abadone";
static char testin2[] = "A more reasonable choice.";
if (!opiepasscheck(testin1))
return -1;
if (opiepasscheck(testin2))
return -1;
return 0;
}
int testrandomchallenge()
{
char buffer[OPIE_CHALLENGE_MAX+1];
opierandomchallenge(buffer);
if (strncmp(buffer, "otp-", 4))
return -1;
return 0;
}
int testunlock()
{
int i;
if (getuid())
return -2;
for (i = 0; i < 3; i++)
if (opieunlock())
return -1;
if (opieunlock() != -1)
return -1;
return 0;
}
struct opietest {
int (*f)();
char *n;
};
static struct opietest opietests[] = {
{ testatob8, "atob8" },
{ testbtoa8, "btoa8" },
{ testbtoe, "btoe" },
{ testetob, "etob" },
/* { testchallenge, "challenge" }, */
{ testgenerator, "generator" },
{ testgetsequence, "getsequence" },
{ testhashmd4, "hash(MD4)" },
{ testhashmd5, "hash(MD5)" },
{ testinsecure, "insecure" },
{ testkeycrunch, "keycrunch" },
{ testlock, "lock" },
{ testrandomchallenge, "randomchallenge" },
/* { testreadpass, "readpass" }, */
{ testunlock, "unlock" },
/* { testverify, "verify" }, */
{ NULL, NULL }
};
int main FUNCTION((argc, argv), int argc AND char *argv[])
{
struct opietest *opietest;
int tests_passed = 0;
int tests_failed = 0;
int tests_skipped = 0;
int ntests = 0, testn = 0;
if (getuid() != geteuid()) {
fprintf(stderr, "opietest: do not make this program setuid!\n");
exit(1);
};
for (opietest = opietests; opietest->n; opietest++)
ntests++;
printf("opietest: executing %d tests\n", ntests);
for (opietest = opietests, testn = 1; opietest->n; opietest++) {
printf("(%2d/%2d) testing opie%s... ", testn++, ntests, opietest->n);
switch(opietest->f()) {
case -2:
printf("skipped\n");
tests_skipped++;
opietest->f = NULL;
break;
case -1:
printf("FAILED!\n");
tests_failed++;
break;
case 0:
printf("passed\n");
tests_passed++;
opietest->f = NULL;
break;
}
}
printf("opietest: completed %d tests. %d tests passed, %d tests skipped, %d tests failed.\n", ntests, tests_passed, tests_skipped, tests_failed);
if (tests_failed) {
printf("opietest: please correct the following failures before attempting to use OPIE:\n");
for (opietest = opietests; opietest->n; opietest++)
if (opietest->f)
printf(" opie%s\n", opietest->n);
exit(1);
}
exit(0);
}

167
contrib/opie/permsfile.c
View File

@ -1,167 +0,0 @@
/* permsfile.c: implement SunOS /etc/fbtab and Solaris /etc/logindevperm
functionality to set device permissions on login
%%% portions-copyright-cmetz-96
Portions of this software are Copyright 1996-1999 by Craig Metz, All Rights
Reserved. The Inner Net License Version 2 applies to these portions of
the software.
You should have received a copy of the license with this software. If
you didn't get a copy, you may request one from <license@inner.net>.
Portions of this software are Copyright 1995 by Randall Atkinson and Dan
McDonald, All Rights Reserved. All Rights under this copyright are assigned
to the U.S. Naval Research Laboratory (NRL). The NRL Copyright Notice and
License Agreement applies to this software.
History:
Modified by cmetz for OPIE 2.31. Include unistd.h.
Modified by cmetz for OPIE 2.3. Check for NULL return from
ftpglob(), combine some expressions, fix a typo. Made file
selection a bit more generic.
Modified by cmetz for OPIE 2.2. Use FUNCTION declaration et al.
Add opie.h. Ifdef around a header.
Written at NRL for OPIE 2.0.
*/
#include "opie_cfg.h"
#ifdef HAVE_LOGIN_PERMFILE
#include <stdio.h>
#include <sys/types.h>
#if HAVE_STRING_H
#include <string.h>
#endif /* HAVE_STRING_H */
#if HAVE_UNISTD_H
#include <unistd.h>
#endif /* HAVE_UNISTD_H */
#include <syslog.h>
#include "opie.h"
/* Line buffer size (one more than max line length) */
#define BUFSIZE 128
/* Maximum number of list items in a field */
#define LISTSIZE 10
static char buf[BUFSIZE], buf2[8];
char **ftpglob __P((char *));
VOIDRET opiefatal FUNCTION((x), char *x)
{
fprintf(stderr, x);
exit(1);
}
#include "glob.c"
static int getalist FUNCTION((string, list), char **string AND char **list)
{
char *s = *string;
int i = 0;
while (*s && (*s != '\n') && (*s != ' ') && (*s != '\t'))
if ((*s == ':') || (*s == ',')) {
*(s++) = 0;
list[i++] = *string;
*string = s;
if (i == LISTSIZE)
return i;
} else
s++;
if ((int) (s) - (int) (*string)) {
*s = 0;
list[i++] = *string;
}
*string = ++s;
return i;
}
static VOIDRET doaline FUNCTION((line, name, ttyn, uid, gid), char *line AND char *name AND char *ttyn AND uid_t uid AND gid_t gid)
{
char *ptr;
int i;
int applies, llen;
char *listbuf[LISTSIZE], **globlist;
if (ptr = strchr(buf, '#'))
*ptr = 0;
/* Skip whitespace */
for (ptr = buf; *ptr && ((*ptr == ' ') || (*ptr == '\t'));
ptr++);
if (!*ptr)
return;
/* (Optional) Field 1: user name(s) */
if ((*ptr != '/') && (*ptr != '~')) {
llen = getalist(&ptr, listbuf);
for (applies = i = 0; (i < llen) && !applies; i++)
if (!strcmp(listbuf[i], name))
applies++;
while (*ptr && ((*ptr == ' ') || (*ptr == '\t')))
ptr++;
if (!applies || !*ptr)
return;
}
/* Field 2: terminal(s) */
llen = getalist(&ptr, listbuf);
for (applies = i = 0; (i < llen) && !applies; i++)
if (!strcmp(listbuf[i], ttyn))
applies++;
while (*ptr && ((*ptr == ' ') || (*ptr == '\t')))
ptr++;
if (!applies || !*ptr)
return;
/* Field 3: mode */
for (applies = 0; *ptr && (*ptr >= '0') && (*ptr <= '7');
applies = (applies << 3) | (*(ptr++) - '0'));
while (*ptr && ((*ptr == ' ') || (*ptr == '\t')))
ptr++;
if (!*ptr)
return;
/* Field 4: devices (the fun part...) */
llen = getalist(&ptr, listbuf);
for (i = 0; i < llen; i++) {
if (globlist = ftpglob(listbuf[i]))
while (*globlist) {
#ifdef DEBUG
syslog(LOG_DEBUG, "setting %s to %d/%d %o", *globlist, uid, gid, applies);
#endif /* DEBUG */
if ((chown(*globlist, uid, gid) < 0) && (errno != ENOENT))
perror("chown");
if ((chmod(*(globlist++), applies) < 0) && (errno != ENOENT))
perror("chmod");
}
}
}
VOIDRET permsfile FUNCTION((name, ttyn, uid, gid), char *name AND char *ttyn AND uid_t uid AND gid_t gid)
{
FILE *fh;
if (!(fh = fopen(HAVE_LOGIN_PERMFILE, "r"))) {
syslog(LOG_ERR, "Can't open %s!", HAVE_LOGIN_PERMFILE);
fprintf(stderr, "Warning: Can't set device permissions.\n");
return;
}
do {
if (feof(fh))
return;
if (fgets(buf, BUFSIZE, fh) == NULL)
return;
buf[BUFSIZE] = 0;
doaline(buf, name, ttyn, uid, gid);
}
while (1);
}
#endif /* HAVE_LOGIN_PERMFILE */

216
contrib/opie/popen.c
View File

@ -1,216 +0,0 @@
/* popen.c: A "safe" pipe open routine.
%%% portions-copyright-cmetz-96
Portions of this software are Copyright 1996-1999 by Craig Metz, All Rights
Reserved. The Inner Net License Version 2 applies to these portions of
the software.
You should have received a copy of the license with this software. If
you didn't get a copy, you may request one from <license@inner.net>.
Portions of this software are Copyright 1995 by Randall Atkinson and Dan
McDonald, All Rights Reserved. All Rights under this copyright are assigned
to the U.S. Naval Research Laboratory (NRL). The NRL Copyright Notice and
License Agreement applies to this software.
History:
Modified by cmetz for OPIE 2.31. Merged in some 4.4BSD-Lite fixes.
Modified by cmetz for OPIE 2.2. Use FUNCTION declaration et al.
Removed useless string. ifdef around some headers.
Modified at NRL for OPIE 2.1. Optimized for only one pipe at a time.
Added minimal version of sigprocmask(). Moved some pid_t
dancing to the config headers.
Modified at NRL for OPIE 2.0.
Originally from BSD.
$FreeBSD$
*/
/*
* Copyright (c) 1988, 1993, 1994
* The Regents of the University of California. All rights reserved.
*
* This code is derived from software written by Ken Arnold and
* published in UNIX Review, Vol. 6, No. 8.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. All advertising materials mentioning features or use of this software
* must display the following acknowledgement:
* This product includes software developed by the University of
* California, Berkeley and its contributors.
* 4. Neither the name of the University nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
*/
#include "opie_cfg.h"
#include <sys/types.h>
#include <sys/wait.h>
#if HAVE_SIGNAL_H
#include <signal.h>
#endif /* HAVE_SIGNAL_H */
#if HAVE_SYS_SIGNAL_H
#include <sys/signal.h>
#endif /* HAVE_SYS_SIGNAL_H */
#if HAVE_UNISTD_H
#include <unistd.h>
#endif /* HAVE_UNISTD_H */
#include <stdio.h>
#if HAVE_STDLIB_H
#include <stdlib.h>
#endif /* HAVE_STDLIB_H */
#if HAVE_STRING_H
#include <string.h>
#endif /* HAVE_STRING_H */
#include "opie.h"
#define MAXUSRARGS 100
#define MAXGLOBARGS 1000
char **ftpglob __P((register char *));
char **copyblk __P((char **));
VOIDRET blkfree __P((char **));
/*
* Special version of popen which avoids call to shell. This ensures noone
* may create a pipe to a hidden program as a side effect of a list or dir
* command.
*/
static pid_t child_pid = -1;
static int pipe_fd;
extern char **environ;
FILE *ftpd_popen FUNCTION((program, type), char *program AND char *type)
{
char *cp;
FILE *iop;
int argc, gargc, pdes[2];
char **pop, *argv[MAXUSRARGS], *gargv[MAXGLOBARGS], *vv[2];
if ((*type != 'r' && *type != 'w') || type[1])
return (NULL);
if (pipe(pdes) < 0)
return (NULL);
/* break up string into pieces */
for (argc = 0, cp = program; argc < MAXUSRARGS-1; cp = NULL) {
if (!(argv[argc++] = strtok(cp, " \t\n")))
break;
}
argv[argc - 1] = NULL;
/* glob each piece */
gargv[0] = argv[0];
for (gargc = argc = 1; argv[argc] && gargc < (MAXGLOBARGS-1); argc++) {
if (!(pop = (char **) ftpglob(argv[argc]))) {
/* globbing failed */
vv[0] = argv[argc];
vv[1] = NULL;
pop = (char **) copyblk(vv);
}
argv[argc] = (char *) pop; /* save to free later */
while (*pop && gargc < MAXGLOBARGS-1)
gargv[gargc++] = *pop++;
}
gargv[gargc] = NULL;
iop = NULL;
switch (child_pid = fork()) {
case -1: /* error */
close(pdes[0]);
close(pdes[1]);
goto pfree;
/* NOTREACHED */
case 0: /* child */
if (*type == 'r') {
if (pdes[1] != 1) {
dup2(pdes[1], 1);
dup2(pdes[1], 2); /* stderr, too! */
close(pdes[1]);
}
close(pdes[0]);
} else {
if (pdes[0] != 0) {
dup2(pdes[0], 0);
close(pdes[0]);
}
close(pdes[1]);
}
environ = NULL;
execv(gargv[0], gargv);
_exit(1);
}
/* parent; assume fdopen can't fail... */
if (*type == 'r') {
iop = fdopen(pipe_fd = pdes[0], type);
close(pdes[1]);
} else {
iop = fdopen(pipe_fd = pdes[1], type);
close(pdes[0]);
}
pfree: for (argc = 1; argv[argc] != NULL; argc++) {
blkfree((char **) argv[argc]);
free((char *) argv[argc]);
}
return (iop);
}
int ftpd_pclose FUNCTION((iop), FILE *iop)
{
int status;
pid_t pid;
sigset_t omask, mask;
sigemptyset(&mask);
sigaddset(&mask, SIGINT);
sigaddset(&mask, SIGQUIT);
sigaddset(&mask, SIGHUP);
/* pclose returns -1 if stream is not associated with a `popened' command,
or, if already `pclosed'. */
if ((child_pid < 0) || (fileno(iop) != pipe_fd))
return (-1);
fclose(iop);
sigprocmask(SIG_BLOCK, &mask, &omask);
while ((pid = wait(&status)) != child_pid && (pid != -1));
sigprocmask(SIG_SETMASK, &omask, NULL);
child_pid = -1;
pipe_fd = -1;
#if defined(WEXITSTATUS) && defined(WIFEXITED)
if ((pid > 0) && WIFEXITED(status))
return WEXITSTATUS(status);
return -1;
#else /* defined(WEXITSTATUS) && defined(WIFEXITED) */
return (pid == -1 ? -1 : status.w_status);
#endif /* defined(WEXITSTATUS) && defined(WIFEXITED) */
}

4
contrib/telnet/telnet/telnet.1
View File

@ -1103,10 +1103,6 @@ Displays the legal
.Pq Ic unset
commands.
.El
.It Ic opie Ar sequence challenge
The
.Ic opie
command computes a response to the OPIE challenge.
.It Ic slc Ar state
The
.Ic slc

2
etc/mtree/BSD.var.dist
View File

@ -95,8 +95,6 @@
/set gname=daemon
lpd
..
opielocks mode=0700
..
output
lpd
..

4
lib/Makefile
View File

@ -77,7 +77,6 @@ SUBDIR= ${SUBDIR_BOOTSTRAP} \
libnetmap \
libnv \
libopenbsd \
libopie \
libpam \
libpathconv \
libpcap \
@ -132,8 +131,7 @@ SUBDIR_DEPEND_libgeom= libexpat libsbuf
SUBDIR_DEPEND_librpcsec_gss= libgssapi
SUBDIR_DEPEND_libmagic= libz
SUBDIR_DEPEND_libmemstat= libkvm
SUBDIR_DEPEND_libopie= libmd
SUBDIR_DEPEND_libpam= libcrypt libopie ${_libradius} librpcsvc libtacplus libutil ${_libypclnt} ${_libcom_err}
SUBDIR_DEPEND_libpam= libcrypt ${_libradius} librpcsvc libtacplus libutil ${_libypclnt} ${_libcom_err}
SUBDIR_DEPEND_libpjdlog= libutil
SUBDIR_DEPEND_libprocstat= libkvm libutil
SUBDIR_DEPEND_libradius= libmd

40
lib/libopie/Makefile
View File

@ -1,40 +0,0 @@
# Makefile for libopie
#
# $FreeBSD$
#
CONFS= opieaccess
CONFSMODE= 600
PACKAGE=lib${LIB}
OPIE_DIST?= ${SRCTOP}/contrib/opie
DIST_DIR= ${OPIE_DIST}/${.CURDIR:T}
SHLIB_MAJOR= 8
KEYFILE?= \"/etc/opiekeys\"
.PATH: ${DIST_DIR}
LIB= opie
SRCS= atob8.c btoa8.c btoh.c challenge.c getsequence.c hash.c hashlen.c \
keycrunch.c lock.c lookup.c newseed.c parsechallenge.c passcheck.c \
passwd.c randomchallenge.c readpass.c unlock.c verify.c version.c \
btoe.c accessfile.c generator.c insecure.c getutmpentry.c \
readrec.c writerec.c open.c
SRCS+= opieextra.c
INCS= ${OPIE_DIST}/opie.h
CFLAGS+=-I${.CURDIR} -I${OPIE_DIST} -I${DIST_DIR} \
-DKEY_FILE=${KEYFILE}
ACCESSFILE?= \"/etc/opieaccess\"
CFLAGS+= -DINSECURE_OVERRIDE -DPATH_ACCESS_FILE=${ACCESSFILE}
WARNS?= 0
LIBADD= md
MAN= ${OPIE_DIST}/opie.4 ${OPIE_DIST}/opiekeys.5 ${OPIE_DIST}/opieaccess.5
MLINKS= opie.4 skey.4
.include <bsd.lib.mk>

18
lib/libopie/Makefile.depend
View File

@ -1,18 +0,0 @@
# $FreeBSD$
# Autogenerated - do NOT edit!
DIRDEPS = \
include \
include/arpa \
include/xlocale \
lib/${CSU_DIR} \
lib/libc \
lib/libcompiler_rt \
lib/libmd \
.include <dirdeps.mk>
.if ${DEP_RELDIR} == ${_DEP_RELDIR}
# local dependencies - needed for -jN in clean tree
.endif

381
lib/libopie/config.h
View File

@ -1,381 +0,0 @@
/* $FreeBSD$ */
/* config.h. Generated automatically by configure. */
/* config.h.in. Generated automatically from configure.in by autoheader. */
/* Define if on AIX 3.
System headers sometimes define this.
We just want to avoid a redefinition error message. */
#ifndef _ALL_SOURCE
/* #undef _ALL_SOURCE */
#endif
/* Define if using alloca.c. */
/* #undef C_ALLOCA */
/* Define to empty if the keyword does not work. */
/* #undef const */
/* Define to one of _getb67, GETB67, getb67 for Cray-2 and Cray-YMP systems.
This function is required for alloca.c support on those systems. */
/* #undef CRAY_STACKSEG_END */
/* Define if you have alloca, as a function or macro. */
#define HAVE_ALLOCA 1
/* Define if you have <alloca.h> and it should be used (not on Ultrix). */
/* #undef HAVE_ALLOCA_H */
/* Define if you have <sys/wait.h> that is POSIX.1 compatible. */
#define HAVE_SYS_WAIT_H 1
/* Define if on MINIX. */
/* #undef _MINIX */
/* Define if the system does not provide POSIX.1 features except
with this defined. */
/* #undef _POSIX_1_SOURCE */
/* Define if you need to in order for stat and other things to work. */
/* #undef _POSIX_SOURCE */
/* Define as the return type of signal handlers (int or void). */
#define RETSIGTYPE void
/* If using the C implementation of alloca, define if you know the
direction of stack growth for your system; otherwise it will be
automatically deduced at run-time.
STACK_DIRECTION > 0 => grows toward higher addresses
STACK_DIRECTION < 0 => grows toward lower addresses
STACK_DIRECTION = 0 => direction of growth unknown
*/
/* #undef STACK_DIRECTION */
/* Define if you want the FTP daemon to support anonymous logins. */
/* #undef DOANONYMOUS */
/* The default value of the PATH environment variable */
#define DEFAULT_PATH "/usr/bin:/bin:/usr/sbin:/sbin"
/* Defined if the file /etc/default/login exists
(and, presumably, should be looked at by login) */
/* #undef HAVE_ETC_DEFAULT_LOGIN */
/* Defined to the name of a file that contains a list of files whose
permissions and ownerships should be changed on login. */
/* #undef HAVE_LOGIN_PERMFILE */
/* Defined to the name of a file that contains a list of environment
values that should be set on login. */
/* #undef HAVE_LOGIN_ENVFILE */
/* Defined if the file /etc/securetty exists
(and, presumably, should be looked at by login) */
/* #undef HAVE_SECURETTY */
/* Defined if the file /etc/shadow exists
(and, presumably, should be looked at for shadow passwords) */
/* #undef HAVE_ETC_SHADOW */
/* The path to the access file, if we're going to use it */
/* #undef PATH_ACCESS_FILE */
/* The path to the mail spool, if we know it */
#define PATH_MAIL "/var/mail"
/* The path to the utmp file, if we know it */
#define PATH_UTMP_AC "/var/run/utmp"
/* The path to the wtmp file, if we know it */
#define PATH_WTMP_AC "/var/log/wtmp"
/* The path to the wtmpx file, if we know it */
/* #undef PATH_WTMPX_AC */
/* Defined if the system's profile (/etc/profile) displays
the motd file */
/* #undef HAVE_MOTD_IN_PROFILE */
/* Defined if the system's profile (/etc/profile) informs the
user of new mail */
/* #undef HAVE_MAILCHECK_IN_PROFILE */
/* Define if you have a nonstandard gettimeofday() that takes one argument
instead of two. */
/* #undef HAVE_ONE_ARG_GETTIMEOFDAY */
/* Define if the system has the getenv function */
#define HAVE_GETENV 1
/* Define if the system has the setenv function */
#define HAVE_SETENV 1
/* Define if the system has the /var/adm/sulog file */
/* #undef HAVE_SULOG */
/* Define if the system has the unsetenv function */
#define HAVE_UNSETENV 1
/* Define if the compiler can handle ANSI-style argument lists */
#define HAVE_ANSIDECL 1
/* Define if the compiler can handle ANSI-style prototypes */
#define HAVE_ANSIPROTO 1
/* Define if the system has an ANSI-style printf (returns int instead of char *) */
#define HAVE_ANSISPRINTF 1
/* Define if the compiler can handle ANSI-style variable argument lists */
#define HAVE_ANSISTDARG 1
/* Define if the compiler can handle void argument lists to functions */
#define HAVE_VOIDARG 1
/* Define if the compiler can handle void return "values" from functions */
#define HAVE_VOIDRET 1
/* Define if the compiler can handle void pointers to our liking */
#define HAVE_VOIDPTR 1
/* Define if the /bin/ls command seems to support the -g flag */
/* #undef HAVE_LS_G_FLAG */
/* Define if there is a ut_pid field in struct utmp */
/* #undef HAVE_UT_PID */
/* Define if there is a ut_type field in struct utmp */
/* #undef HAVE_UT_TYPE */
/* Define if there is a ut_name field in struct utmp */
#define HAVE_UT_NAME 1
/* Define if there is a ut_host field in struct utmp */
#define HAVE_UT_HOST 1
/* Define if the system has getutline() */
/* #undef HAVE_GETUTLINE */
/* Defined if the system has SunOS C2 security shadow passwords */
/* #undef HAVE_SUNOS_C2_SHADOW */
/* Defined if you want to disable utmp support */
/* #undef DISABLE_UTMP */
/* Defined if you want to allow users to override the insecure checks */
/* #undef INSECURE_OVERRIDE */
/* Defined to the default hash value, always defined */
#define MDX 5
/* Defined if new-style prompts are to be used */
#define NEW_PROMPTS 1
/* Defined to the path of the OPIE lock directory */
#define OPIE_LOCK_DIR "/var/spool/opielocks"
/* Defined if users are to be asked to re-type secret pass phrases */
/* #undef RETYPE */
/* Defined if su should not switch to disabled accounts */
/* #undef SU_STAR_CHECK */
/* Don't turn it on! It allows intruder easily disable whole OPIE for user */
/* Defined if user locking is to be used */
/* #undef USER_LOCKING */
/* Define if you have the bcopy function. */
/* #undef HAVE_BCOPY */
/* Define if you have the bzero function. */
/* #undef HAVE_BZERO */
/* Define if you have the endspent function. */
/* #undef HAVE_ENDSPENT */
/* Define if you have the fpurge function. */
#define HAVE_FPURGE 1
/* Define if you have the getdtablesize function. */
/* #undef HAVE_GETDTABLESIZE */
/* Define if you have the getgroups function. */
#define HAVE_GETGROUPS 1
/* Define if you have the gethostname function. */
/* #undef HAVE_GETHOSTNAME */
/* Define if you have the getspnam function. */
/* #undef HAVE_GETSPNAM */
/* Define if you have the gettimeofday function. */
#define HAVE_GETTIMEOFDAY 1
/* Define if you have the getttynam function. */
#define HAVE_GETTTYNAM 1
/* Define if you have the getusershell function. */
#define HAVE_GETUSERSHELL 1
/* Define if you have the getutxline function. */
#define HAVE_GETUTXLINE 1
/* Define if you have the getwd function. */
/* #undef HAVE_GETWD */
/* Define if you have the index function. */
/* #undef HAVE_INDEX */
/* Define if you have the lstat function. */
#define HAVE_LSTAT 1
/* Define if you have the on_exit function. */
/* #undef HAVE_ON_EXIT */
/* Define if you have the pututxline function. */
#define HAVE_PUTUTXLINE 1
/* Define if you have the rindex function. */
/* #undef HAVE_RINDEX */
/* Define if you have the setgroups function. */
#define HAVE_SETGROUPS 1
/* Define if you have the setlogin function. */
#define HAVE_SETLOGIN 1
/* Define if you have the setpriority function. */
#define HAVE_SETPRIORITY 1
/* Define if you have the setregid function. */
/* #undef HAVE_SETREGID */
/* Define if you have the setresgid function. */
/* #undef HAVE_SETRESGID */
/* Define if you have the setresuid function. */
/* #undef HAVE_SETRESUID */
/* Define if you have the setreuid function. */
/* #undef HAVE_SETREUID */
/* Define if you have the setvbuf function. */
#define HAVE_SETVBUF 1
/* Define if you have the sigaddset function. */
#define HAVE_SIGADDSET 1
/* Define if you have the sigblock function. */
/* #undef HAVE_SIGBLOCK */
/* Define if you have the sigemptyset function. */
#define HAVE_SIGEMPTYSET 1
/* Define if you have the sigsetmask function. */
/* #undef HAVE_SIGSETMASK */
/* Define if you have the socket function. */
#define HAVE_SOCKET 1
/* Define if you have the strerror function. */
#define HAVE_STRERROR 1
/* Define if you have the strftime function. */
#define HAVE_STRFTIME 1
/* Define if you have the strncasecmp function. */
#define HAVE_STRNCASECMP 1
/* Define if you have the strstr function. */
#define HAVE_STRSTR 1
/* Define if you have the ttyslot function. */
#define HAVE_TTYSLOT 1
/* Define if you have the usleep function. */
#define HAVE_USLEEP 1
/* Define if you have the <crypt.h> header file. */
/* #undef HAVE_CRYPT_H */
/* Define if you have the <dirent.h> header file. */
#define HAVE_DIRENT_H 1
/* Define if you have the <fcntl.h> header file. */
#define HAVE_FCNTL_H 1
/* Define if you have the <lastlog.h> header file. */
/* #undef HAVE_LASTLOG_H */
/* Define if you have the <limits.h> header file. */
#define HAVE_LIMITS_H 1
/* Define if you have the <ndir.h> header file. */
/* #undef HAVE_NDIR_H */
/* Define if you have the <paths.h> header file. */
#define HAVE_PATHS_H 1
/* Define if you have the <pwd.h> header file. */
#define HAVE_PWD_H 1
/* Define if you have the <shadow.h> header file. */
/* #undef HAVE_SHADOW_H */
/* Define if you have the <signal.h> header file. */
#define HAVE_SIGNAL_H 1
/* Define if you have the <stdlib.h> header file. */
#define HAVE_STDLIB_H 1
/* Define if you have the <string.h> header file. */
#define HAVE_STRING_H 1
/* Define if you have the <sys/dir.h> header file. */
/* #undef HAVE_SYS_DIR_H */
/* Define if you have the <sys/file.h> header file. */
#define HAVE_SYS_FILE_H 1
/* Define if you have the <sys/ioctl.h> header file. */
#define HAVE_SYS_IOCTL_H 1
/* Define if you have the <sys/ndir.h> header file. */
/* #undef HAVE_SYS_NDIR_H */
/* Define if you have the <sys/param.h> header file. */
#define HAVE_SYS_PARAM_H 1
/* Define if you have the <sys/select.h> header file. */
#define HAVE_SYS_SELECT_H 1
/* Define if you have the <sys/signal.h> header file. */
#define HAVE_SYS_SIGNAL_H 1
/* Define if you have the <sys/time.h> header file. */
#define HAVE_SYS_TIME_H 1
/* Define if you have the <sys/utsname.h> header file. */
#define HAVE_SYS_UTSNAME_H 1
/* Define if you have the <syslog.h> header file. */
#define HAVE_SYSLOG_H 1
/* Define if you have the <termios.h> header file. */
#define HAVE_TERMIOS_H 1
/* Define if you have the <unistd.h> header file. */
#define HAVE_UNISTD_H 1
/* Define if you have the <utmpx.h> header file. */
#define HAVE_UTMPX_H 1
/* Define if you have the crypt library (-lcrypt). */
#define HAVE_LIBCRYPT 1
/* Define if you have the nsl library (-lnsl). */
/* #undef HAVE_LIBNSL */
/* Define if you have the posix library (-lposix). */
/* #undef HAVE_LIBPOSIX */
/* Define if you have the socket library (-lsocket). */
/* #undef HAVE_LIBSOCKET */

13
lib/libopie/opieaccess
View File

@ -1,13 +0,0 @@
# $FreeBSD$
#
# This file controls whether UNIX passwords are to be permitted. Rules
# are matched in order, and the search terminates when the first matching
# rule has been found. Default action is "deny". See opieaccess(5) for
# more information.
#
# Each rule has the form:
#
# permit address netmask
# deny address netmask
#
#permit 127.0.0.1 255.255.255.255

98
lib/libopie/opieextra.c
View File

@ -1,98 +0,0 @@
/*
* This file contains routines modified from OpenBSD. Parts are contributed
* by Todd Miller <millert@openbsd.org>, Theo De Raadt <deraadt@openbsd.org>
* and possibly others.
*/
#include <sys/cdefs.h>
__FBSDID("$FreeBSD$");
#include <sys/types.h>
#include <stdio.h>
#include <opie.h>
/*
* opie_haopie()
*
* Returns: 1 user doesnt exist, -1 file error, 0 user exists.
*
*/
int
opie_haskey(username)
char *username;
{
struct opie opie;
return opielookup(&opie, username);
}
/*
* opie_keyinfo()
*
* Returns the current sequence number and
* seed for the passed user.
*
*/
char *
opie_keyinfo(username)
char *username;
{
int i;
static char str[OPIE_CHALLENGE_MAX];
struct opie opie;
i = opiechallenge(&opie, username, str);
if (i == -1)
return(0);
return(str);
}
/*
* opie_passverify()
*
* Check to see if answer is the correct one to the current
* challenge.
*
* Returns: 0 success, -1 failure
*
*/
int
opie_passverify(username, passwd)
char *username;
char *passwd;
{
int i;
struct opie opie;
i = opielookup(&opie, username);
if (i == -1 || i == 1)
return(-1);
if (opieverify(&opie, passwd) == 0)
return(opie.opie_n);
return(-1);
}
#define OPIE_HASH_DEFAULT 1
/* Current hash type (index into opie_hash_types array) */
static int opie_hash_type = OPIE_HASH_DEFAULT;
struct opie_algorithm_table {
const char *name;
};
static struct opie_algorithm_table opie_algorithm_table[] = {
"md4", "md5"
};
/* Get current hash type */
const char *
opie_get_algorithm()
{
return(opie_algorithm_table[opie_hash_type].name);
}

2
lib/libpam/modules/modules.inc
View File

@ -17,8 +17,6 @@ MODULES += pam_ksu
MODULES += pam_lastlog
MODULES += pam_login_access
MODULES += pam_nologin
MODULES += pam_opie
MODULES += pam_opieaccess
MODULES += pam_passwdqc
MODULES += pam_permit
.if ${MK_RADIUS_SUPPORT} != "no"

36
lib/libpam/modules/pam_opie/Makefile
View File

@ -1,36 +0,0 @@
# Copyright 2000 James Bloom
# All rights reserved.
# Based upon code Copyright 1998 Juniper Networks, Inc.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that the following conditions
# are met:
# 1. Redistributions of source code must retain the above copyright
# notice, this list of conditions and the following disclaimer.
# 2. Redistributions in binary form must reproduce the above copyright
# notice, this list of conditions and the following disclaimer in the
# documentation and/or other materials provided with the distribution.
#
# THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
# ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
# SUCH DAMAGE.
#
# $FreeBSD$
PACKAGE= runtime
LIB= pam_opie
SRCS= pam_opie.c
MAN= pam_opie.8
LIBADD+= opie
.include <bsd.lib.mk>

19
lib/libpam/modules/pam_opie/Makefile.depend
View File

@ -1,19 +0,0 @@
# $FreeBSD$
# Autogenerated - do NOT edit!
DIRDEPS = \
gnu/lib/csu \
include \
include/xlocale \
lib/${CSU_DIR} \
lib/libc \
lib/libcompiler_rt \
lib/libopie \
lib/libpam/libpam \
.include <dirdeps.mk>
.if ${DEP_RELDIR} == ${_DEP_RELDIR}
# local dependencies - needed for -jN in clean tree
.endif

127
lib/libpam/modules/pam_opie/pam_opie.8
View File

@ -1,127 +0,0 @@
.\" Copyright (c) 2001 Mark R V Murray
.\" All rights reserved.
.\" Copyright (c) 2002 Networks Associates Technology, Inc.
.\" All rights reserved.
.\"
.\" Portions of this software were developed for the FreeBSD Project by
.\" ThinkSec AS and NAI Labs, the Security Research Division of Network
.\" Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035
.\" ("CBOSS"), as part of the DARPA CHATS research program.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\" 3. The name of the author may not be used to endorse or promote
.\" products derived from this software without specific prior written
.\" permission.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" $FreeBSD$
.\"
.Dd September 15, 2022
.Dt PAM_OPIE 8
.Os
.Sh NAME
.Nm pam_opie
.Nd OPIE PAM module
.Sh SYNOPSIS
.Op Ar service-name
.Ar module-type
.Ar control-flag
.Pa pam_opie
.Op Ar options
.Sh DEPRECATION NOTICE
OPIE is deprecated, and may not be available in
.Fx 14.0
and later.
.Sh DESCRIPTION
The OPIE authentication service module for PAM,
.Nm
provides functionality for only one PAM category:
that of authentication.
In terms of the
.Ar module-type
parameter, this is the
.Dq Li auth
feature.
It also provides a null function for session management.
.Pp
Note that this module does not enforce
.Xr opieaccess 5
checks.
There is a separate module,
.Xr pam_opieaccess 8 ,
for this purpose.
.Ss OPIE Authentication Module
The OPIE authentication component
provides functions to verify the identity of a user
.Pq Fn pam_sm_authenticate ,
which obtains the relevant
.Xr opie 4
credentials.
It provides the user with an OPIE challenge,
and verifies that this is correct with
.Xr opiechallenge 3 .
.Pp
The following options may be passed to the authentication module:
.Bl -tag -width ".Cm auth_as_self"
.It Cm debug
.Xr syslog 3
debugging information at
.Dv LOG_DEBUG
level.
.It Cm auth_as_self
This option will require the user
to authenticate himself as the user
given by
.Xr getlogin 2 ,
not as the account they are attempting to access.
This is primarily for services like
.Xr su 1 ,
where the user's ability to retype
their own password
might be deemed sufficient.
.It Cm no_fake_prompts
Do not generate fake challenges for users who do not have an OPIE key.
Note that this can leak information to a hypothetical attacker about
who uses OPIE and who does not, but it can be useful on systems where
some users want to use OPIE but most do not.
.El
.Pp
Note that
.Nm
ignores the standard options
.Cm try_first_pass
and
.Cm use_first_pass ,
since a challenge must be generated before the user can submit a valid
response.
.Sh FILES
.Bl -tag -width ".Pa /etc/opiekeys" -compact
.It Pa /etc/opiekeys
default OPIE password database.
.El
.Sh SEE ALSO
.Xr passwd 1 ,
.Xr getlogin 2 ,
.Xr opiechallenge 3 ,
.Xr syslog 3 ,
.Xr opie 4 ,
.Xr pam.conf 5 ,
.Xr pam 3

157
lib/libpam/modules/pam_opie/pam_opie.c
View File

@ -1,157 +0,0 @@
/*-
* SPDX-License-Identifier: BSD-3-Clause
*
* Copyright 2000 James Bloom
* All rights reserved.
* Based upon code Copyright 1998 Juniper Networks, Inc.
* Copyright (c) 2001-2003 Networks Associates Technology, Inc.
* All rights reserved.
*
* Portions of this software were developed for the FreeBSD Project by
* ThinkSec AS and NAI Labs, the Security Research Division of Network
* Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035
* ("CBOSS"), as part of the DARPA CHATS research program.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. The name of the author may not be used to endorse or promote
* products derived from this software without specific prior written
* permission.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#include <sys/cdefs.h>
__FBSDID("$FreeBSD$");
#include <sys/types.h>
#include <opie.h>
#include <pwd.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#define PAM_SM_AUTH
#include <security/pam_appl.h>
#include <security/pam_modules.h>
#include <security/pam_mod_misc.h>
#define PAM_OPT_NO_FAKE_PROMPTS "no_fake_prompts"
PAM_EXTERN int
pam_sm_authenticate(pam_handle_t *pamh, int flags __unused,
int argc __unused, const char *argv[] __unused)
{
struct opie opie;
struct passwd *pwd;
int retval, i;
const char *(promptstr[]) = { "%s\nPassword: ", "%s\nPassword [echo on]: "};
char challenge[OPIE_CHALLENGE_MAX + 1];
char principal[OPIE_PRINCIPAL_MAX];
const char *user;
char *response;
int style;
user = NULL;
if (openpam_get_option(pamh, PAM_OPT_AUTH_AS_SELF)) {
if ((pwd = getpwnam(getlogin())) == NULL)
return (PAM_AUTH_ERR);
user = pwd->pw_name;
}
else {
retval = pam_get_user(pamh, &user, NULL);
if (retval != PAM_SUCCESS)
return (retval);
}
PAM_LOG("Got user: %s", user);
/*
* Watch out: libopie feels entitled to truncate the user name
* passed to it if it's longer than OPIE_PRINCIPAL_MAX, which is
* not uncommon in Windows environments.
*/
if (strlen(user) >= sizeof(principal))
return (PAM_AUTH_ERR);
strlcpy(principal, user, sizeof(principal));
/*
* Don't call the OPIE atexit() handler when our program exits,
* since the module has been unloaded and we will SEGV.
*/
opiedisableaeh();
/*
* If the no_fake_prompts option was given, and the user
* doesn't have an OPIE key, just fail rather than present the
* user with a bogus OPIE challenge.
*/
if (opiechallenge(&opie, principal, challenge) != 0 &&
openpam_get_option(pamh, PAM_OPT_NO_FAKE_PROMPTS))
return (PAM_AUTH_ERR);
/*
* It doesn't make sense to use a password that has already been
* typed in, since we haven't presented the challenge to the user
* yet, so clear the stored password.
*/
pam_set_item(pamh, PAM_AUTHTOK, NULL);
style = PAM_PROMPT_ECHO_OFF;
for (i = 0; i < 2; i++) {
retval = pam_prompt(pamh, style, &response,
promptstr[i], challenge);
if (retval != PAM_SUCCESS) {
opieunlock();
return (retval);
}
PAM_LOG("Completed challenge %d: %s", i, response);
if (response[0] != '\0')
break;
/* Second time round, echo the password */
style = PAM_PROMPT_ECHO_ON;
}
pam_set_item(pamh, PAM_AUTHTOK, response);
/*
* Opieverify is supposed to return -1 only if an error occurs.
* But it returns -1 even if the response string isn't in the form
* it expects. Thus we can't log an error and can only check for
* success or lack thereof.
*/
retval = opieverify(&opie, response);
free(response);
return (retval == 0 ? PAM_SUCCESS : PAM_AUTH_ERR);
}
PAM_EXTERN int
pam_sm_setcred(pam_handle_t *pamh __unused, int flags __unused,
int argc __unused, const char *argv[] __unused)
{
return (PAM_SUCCESS);
}
PAM_MODULE_ENTRY("pam_opie");

11
lib/libpam/modules/pam_opieaccess/Makefile
View File

@ -1,11 +0,0 @@
# $FreeBSD$
PACKAGE= runtime
LIB= pam_opieaccess
SRCS= ${LIB}.c
MAN= pam_opieaccess.8
LIBADD+= opie
.include <bsd.lib.mk>

18
lib/libpam/modules/pam_opieaccess/Makefile.depend
View File

@ -1,18 +0,0 @@
# $FreeBSD$
# Autogenerated - do NOT edit!
DIRDEPS = \
gnu/lib/csu \
include \
lib/${CSU_DIR} \
lib/libc \
lib/libcompiler_rt \
lib/libopie \
lib/libpam/libpam \
.include <dirdeps.mk>
.if ${DEP_RELDIR} == ${_DEP_RELDIR}
# local dependencies - needed for -jN in clean tree
.endif

146
lib/libpam/modules/pam_opieaccess/pam_opieaccess.8
View File

@ -1,146 +0,0 @@
.\" Copyright (c) 2001 Mark R V Murray
.\" All rights reserved.
.\" Copyright (c) 2002 Networks Associates Technology, Inc.
.\" All rights reserved.
.\"
.\" Portions of this software were developed for the FreeBSD Project by
.\" ThinkSec AS and NAI Labs, the Security Research Division of Network
.\" Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035
.\" ("CBOSS"), as part of the DARPA CHATS research program.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\" 3. The name of the author may not be used to endorse or promote
.\" products derived from this software without specific prior written
.\" permission.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" $FreeBSD$
.\"
.Dd September 15, 2022
.Dt PAM_OPIEACCESS 8
.Os
.Sh NAME
.Nm pam_opieaccess
.Nd OPIEAccess PAM module
.Sh SYNOPSIS
.Op Ar service-name
.Ar module-type
.Ar control-flag
.Pa pam_opieaccess
.Op Ar options
.Sh DEPRECATION NOTICE
OPIE is deprecated, and may not be available in
.Fx 14.0
and later.
.Sh DESCRIPTION
The
.Nm
module is used in conjunction with the
.Xr pam_opie 8
PAM module to ascertain that authentication can proceed by other means
(such as the
.Xr pam_unix 8
module) even if OPIE authentication failed.
To properly use this module,
.Xr pam_opie 8
should be marked
.Dq Li sufficient ,
and
.Nm
should be listed right below it and marked
.Dq Li requisite .
.Pp
The
.Nm
module provides functionality for only one PAM category:
authentication.
In terms of the
.Ar module-type
parameter, this is the
.Dq Li auth
feature.
It also provides null functions for the remaining module types.
.Ss OPIEAccess Authentication Module
The authentication component
.Pq Fn pam_sm_authenticate ,
returns
.Dv PAM_SUCCESS
in two cases:
.Bl -enum
.It
The user does not have OPIE enabled.
.It
The user has OPIE enabled, and the remote host is listed as a trusted
host in
.Pa /etc/opieaccess ,
and the user does not have a file named
.Pa \&.opiealways
in his home directory.
.El
.Pp
Otherwise, it returns
.Dv PAM_AUTH_ERR .
.Pp
The following options may be passed to the authentication module:
.Bl -tag -width ".Cm allow_local"
.It Cm allow_local
Normally, local logins are subjected to the same restrictions as
remote logins from
.Dq localhost .
This option causes
.Nm
to always allow local logins.
.It Cm debug
.Xr syslog 3
debugging information at
.Dv LOG_DEBUG
level.
.It Cm no_warn
suppress warning messages to the user.
These messages include reasons why the user's authentication attempt
was declined.
.El
.Sh FILES
.Bl -tag -width ".Pa $HOME/.opiealways"
.It Pa /etc/opieaccess
List of trusted hosts or networks.
See
.Xr opieaccess 5
for a description of its syntax.
.It Pa $HOME/.opiealways
The presence of this file makes OPIE mandatory for the user.
.El
.Sh SEE ALSO
.Xr opie 4 ,
.Xr opieaccess 5 ,
.Xr pam.conf 5 ,
.Xr pam 3 ,
.Xr pam_opie 8
.Sh AUTHORS
The
.Nm
module and this manual page were developed for the
.Fx
Project by
ThinkSec AS and NAI Labs, the Security Research Division of Network
Associates, Inc.\& under DARPA/SPAWAR contract N66001-01-C-8035
.Pq Dq CBOSS ,
as part of the DARPA CHATS research program.

97
lib/libpam/modules/pam_opieaccess/pam_opieaccess.c
View File

@ -1,97 +0,0 @@
/*-
* SPDX-License-Identifier: BSD-3-Clause
*
* Copyright (c) 2002 Networks Associates Technology, Inc.
* All rights reserved.
*
* This software was developed for the FreeBSD Project by ThinkSec AS and
* NAI Labs, the Security Research Division of Network Associates, Inc.
* under DARPA/SPAWAR contract N66001-01-C-8035 ("CBOSS"), as part of the
* DARPA CHATS research program.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. The name of the author may not be used to endorse or promote
* products derived from this software without specific prior written
* permission.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#include <sys/cdefs.h>
__FBSDID("$FreeBSD$");
#define _BSD_SOURCE
#include <sys/types.h>
#include <opie.h>
#include <pwd.h>
#include <unistd.h>
#include <syslog.h>
#define PAM_SM_AUTH
#include <security/pam_appl.h>
#include <security/pam_modules.h>
#include <security/pam_mod_misc.h>
PAM_EXTERN int
pam_sm_authenticate(pam_handle_t *pamh, int flags __unused,
int argc __unused, const char *argv[] __unused)
{
struct opie opie;
struct passwd *pwent;
const void *luser, *rhost;
int r;
r = pam_get_item(pamh, PAM_USER, &luser);
if (r != PAM_SUCCESS)
return (r);
if (luser == NULL)
return (PAM_SERVICE_ERR);
pwent = getpwnam(luser);
if (pwent == NULL || opielookup(&opie, __DECONST(char *, luser)) != 0)
return (PAM_SUCCESS);
r = pam_get_item(pamh, PAM_RHOST, &rhost);
if (r != PAM_SUCCESS)
return (r);
if (rhost == NULL || *(const char *)rhost == '\0')
rhost = openpam_get_option(pamh, "allow_local") ?
"" : "localhost";
if (opieaccessfile(__DECONST(char *, rhost)) != 0 &&
opiealways(pwent->pw_dir) != 0)
return (PAM_SUCCESS);
PAM_VERBOSE_ERROR("Refused; remote host is not in opieaccess");
return (PAM_AUTH_ERR);
}
PAM_EXTERN int
pam_sm_setcred(pam_handle_t *pamh __unused, int flags __unused,
int argc __unused, const char *argv[] __unused)
{
return (PAM_SUCCESS);
}
PAM_MODULE_ENTRY("pam_opieaccess");

2
lib/libpam/pam.d/ftpd
View File

@ -5,8 +5,6 @@
#
# auth
auth sufficient pam_opie.so no_warn no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
#auth sufficient pam_krb5.so no_warn
#auth sufficient pam_ssh.so no_warn try_first_pass
auth required pam_unix.so no_warn try_first_pass

2
lib/libpam/pam.d/other
View File

@ -5,8 +5,6 @@
#
# auth
auth sufficient pam_opie.so no_warn no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
#auth sufficient pam_krb5.so no_warn try_first_pass
#auth sufficient pam_ssh.so no_warn try_first_pass
auth required pam_unix.so no_warn try_first_pass

2
lib/libpam/pam.d/sshd
View File

@ -5,8 +5,6 @@
#
# auth
auth sufficient pam_opie.so no_warn no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
#auth sufficient pam_krb5.so no_warn try_first_pass
#auth sufficient pam_ssh.so no_warn try_first_pass
auth required pam_unix.so no_warn try_first_pass

Some files were not shown because too many files have changed in this diff Show More