From 1c8d2f60ac9179f8fd82c7b6d5e8a116eaed23d8 Mon Sep 17 00:00:00 2001 From: Stefan Ritt Date: Thu, 20 Jan 2011 15:03:28 +0000 Subject: [PATCH] Implemented combined authentication Kerberos/File SVN revision: 2370 --- build.bat | 2 +- src/auth.c | 31 ++++++++++++++++++++++--------- src/elogd.c | 44 ++++++++++++++++---------------------------- src/elogd.h | 1 + 4 files changed, 40 insertions(+), 38 deletions(-) diff --git a/build.bat b/build.bat index 8c66041a..bbab0258 100755 --- a/build.bat +++ b/build.bat @@ -10,7 +10,7 @@ cl /O2 /Ob2 /Oi /Ot /I "\mxml" /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_CRT_SEC cl /O2 /Ob2 /Oi /Ot /I "\mxml" /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_CRT_SECURE_NO_DEPRECATE" /D "_CRT_NONSTDC_NO_DEPRECATE" /D "_VC80_UPGRADE=0x0710" /D "_MBCS" /GF /FD /EHsc /MT /Gy /Fo".\NT\Release/" /W3 /nologo /c /Zi /TC \mxml\mxml.c cl /O2 /Ob2 /Oi /Ot /I "\mxml" /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_CRT_SECURE_NO_DEPRECATE" /D "_CRT_NONSTDC_NO_DEPRECATE" /D "_VC80_UPGRADE=0x0710" /D "_MBCS" /GF /FD /EHsc /MT /Gy /Fo".\NT\Release/" /W3 /nologo /c /Zi /TC \mxml\strlcpy.c -link "/OUT:.\NT\Release/elogd.exe" /INCREMENTAL:NO /DEBUG /SUBSYSTEM:CONSOLE /STACK:4000000 /MACHINE:X86 wsock32.lib advapi32.lib ".\NT\Release\elogd.obj" ".\NT\Release\mxml.obj" ".\NT\Release\regex.obj" ".\NT\Release\crypt.obj" ".\NT\Release\strlcpy.obj" "\openssl\lib\vc\ssleay32MD.lib" "\openssl\lib\vc\libeay32MD.lib" +link "/OUT:.\NT\Release/elogd.exe" /INCREMENTAL:NO /DEBUG /SUBSYSTEM:CONSOLE /STACK:4000000 /MACHINE:X86 wsock32.lib advapi32.lib ".\NT\Release\elogd.obj" ".\NT\Release\mxml.obj" ".\NT\Release\regex.obj" ".\NT\Release\crypt.obj" ".\NT\Release\strlcpy.obj" "\openssl\lib\vc\ssleay32MD.lib" "\openssl\lib\vc\libeay32MD.lib" "\krb5\lib\i386\krb5_32.lib" cl /O2 /Ob2 /Oi /Ot /I "\mxml" /I "\openssl\include" /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /D "_CRT_SECURE_NO_DEPRECATE" /D "_CRT_NONSTDC_NO_DEPRECATE" /D "_VC80_UPGRADE=0x0710" /D "_MBCS" /D "HAVE_SSL" /GF /FD /EHsc /MT /Gy /Fo".\NT\Release/" /W3 /nologo /c /Zi /TC src\elog.c link "/OUT:.\NT\Release/elog.exe" /INCREMENTAL:NO /DEBUG /SUBSYSTEM:CONSOLE /MACHINE:X86 wsock32.lib ".\NT\Release\elog.obj" ".\NT\Release\crypt.obj" "\openssl\lib\vc\ssleay32MD.lib" "\openssl\lib\vc\libeay32MD.lib" diff --git a/src/auth.c b/src/auth.c index cb854d7e..9f2dd2ca 100644 --- a/src/auth.c +++ b/src/auth.c @@ -72,7 +72,8 @@ int auth_verify_password_krb5(LOGBOOK *lbs, const char *user, const char *passwo krb5_get_init_creds_opt_free(context, &options); krb5_free_context(context); - if (error && error != KRB5KDC_ERR_PREAUTH_FAILED) { + if (error && error != KRB5KDC_ERR_PREAUTH_FAILED && + error != KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN) { strlcpy(error_str, "Kerberos error:
", error_size); strlcat(error_str, krb5_get_error_message(context, error), error_size); strlcat(error_str, ".
Please check your Kerberos configuration.", error_size); @@ -186,7 +187,7 @@ int auth_verify_password_file(LOGBOOK *lbs, const char *user, const char *passwo int auth_change_password_file(LOGBOOK *lbs, const char *user, const char *old_pwd, const char *new_pwd, char *error_str, int error_size) { - char str[256], file_name[256]; + char str[256], file_name[256], enc_pwd[256]; PMXML_NODE node; if (lbs == NULL) @@ -200,7 +201,8 @@ int auth_change_password_file(LOGBOOK *lbs, const char *user, const char *old_pw if (node == NULL) return FALSE; - mxml_replace_node_value(node, new_pwd); + do_crypt(new_pwd, enc_pwd, sizeof(enc_pwd)); + mxml_replace_node_value(node, enc_pwd); if (get_password_file(lbs, file_name, sizeof(file_name))) mxml_write_tree(file_name, lbs->pwd_xml_tree); @@ -213,29 +215,40 @@ int auth_change_password_file(LOGBOOK *lbs, const char *user, const char *old_pw int auth_verify_password(LOGBOOK *lbs, const char *user, const char *password, char *error_str, int error_size) { char str[256]; + BOOL verified; error_str[0] = 0; + verified = FALSE; getcfg(lbs->name, "Authentication", str, sizeof(str)); #ifdef HAVE_KRB5 - if (stricmp(str, "Kerberos") == 0) - return auth_verify_password_krb5(lbs, user, password, error_str, error_size); + if (stristr(str, "Kerberos")) + verified = auth_verify_password_krb5(lbs, user, password, error_str, error_size); + if (verified) + return TRUE; #endif - return auth_verify_password_file(lbs, user, password, error_str, error_size); + if (str[0] == 0 || stristr(str, "File")) + verified = auth_verify_password_file(lbs, user, password, error_str, error_size); + + return verified; } int auth_change_password(LOGBOOK *lbs, const char *user, const char *old_pwd, const char *new_pwd, char *error_str, int error_size) { + int status; char str[256]; error_str[0] = 0; getcfg(lbs->name, "Authentication", str, sizeof(str)); + if (str[0] == 0 || stristr(str, "File")) + status = auth_change_password_file(lbs, user, old_pwd, new_pwd, error_str, error_size); + #ifdef HAVE_KRB5 - if (stricmp(str, "Kerberos") == 0) - return auth_change_password_krb5(lbs, user, old_pwd, new_pwd, error_str, error_size); + if (stristr(str, "Kerberos")) + status = auth_change_password_krb5(lbs, user, old_pwd, new_pwd, error_str, error_size); #endif - return auth_change_password_file(lbs, user, old_pwd, new_pwd, error_str, error_size); + return status; } diff --git a/src/elogd.c b/src/elogd.c index fe6bb4bc..929120c4 100755 --- a/src/elogd.c +++ b/src/elogd.c @@ -8514,22 +8514,12 @@ void show_change_pwd_page(LOGBOOK * lbs) old_pwd[0] = new_pwd[0] = new_pwd2[0] = 0; - if (stricmp(auth, "Kerberos") == 0) { - if (isparam("oldpwd")) - strlcpy(old_pwd, getparam("oldpwd"), sizeof(old_pwd)); - if (isparam("newpwd")) - strlcpy(new_pwd, getparam("newpwd"), sizeof(new_pwd)); - if (isparam("newpwd2")) - strlcpy(new_pwd2, getparam("newpwd2"), sizeof(new_pwd2)); - - } else { - if (isparam("oldpwd")) - do_crypt(getparam("oldpwd"), old_pwd, sizeof(old_pwd)); - if (isparam("newpwd")) - do_crypt(getparam("newpwd"), new_pwd, sizeof(new_pwd)); - if (isparam("newpwd2")) - do_crypt(getparam("newpwd2"), new_pwd2, sizeof(new_pwd2)); - } + if (isparam("oldpwd")) + strlcpy(old_pwd, getparam("oldpwd"), sizeof(old_pwd)); + if (isparam("newpwd")) + strlcpy(new_pwd, getparam("newpwd"), sizeof(new_pwd)); + if (isparam("newpwd2")) + strlcpy(new_pwd2, getparam("newpwd2"), sizeof(new_pwd2)); strlcpy(user, isparam("unm") ? getparam("unm") : "", sizeof(user)); if (isparam("config")) { @@ -8549,9 +8539,9 @@ void show_change_pwd_page(LOGBOOK * lbs) } if (old_pwd[0] || new_pwd[0]) { - if (user[0] && get_user_line(lbs, user, act_pwd, full_user, NULL, NULL, NULL, NULL)) { + if (user[0]) { - if (stricmp(auth, "Kerberos") == 0) { + if (stristr(auth, "Kerberos")) { if (strcmp(new_pwd, new_pwd2) != 0) wrong_pwd = 2; } else { @@ -8560,7 +8550,7 @@ void show_change_pwd_page(LOGBOOK * lbs) && stricmp(getparam("unm"), user) != 0) wrong_pwd = 0; else { - if (strcmp(old_pwd, act_pwd) != 0) + if (!auth_verify_password(lbs, user, old_pwd, str, sizeof(str))) wrong_pwd = 1; } @@ -12700,7 +12690,7 @@ int save_user_config(LOGBOOK * lbs, char *user, BOOL new_user) /* check for blank password if not external authentication*/ getcfg(lbs->name, "Authentication", auth, sizeof(auth)); - if (stricmp(auth, "Kerberos") != 0) { + if (stristr(auth, "Kerberos") == NULL) { if (isparam("newpwd")) { strlcpy(str, getparam("newpwd"), sizeof(str)); if (str[0] == 0) { @@ -12720,7 +12710,7 @@ int save_user_config(LOGBOOK * lbs, char *user, BOOL new_user) self_register = atoi(str); new_pwd[0] = 0; - if (stricmp(auth, "Kerberos") != 0) { + if (stristr(auth, "Kerberos") == NULL) { /* check if passwords match */ if (isparam("newpwd") && isparam("newpwd2")) { do_crypt(getparam("newpwd"), new_pwd, sizeof(new_pwd)); @@ -13424,7 +13414,7 @@ void show_forgot_pwd_page(LOGBOOK * lbs) { int i; char str[1000], str2[1000], login_name[256], full_name[256], user_email[256], name[256], pwd[256], - redir[256], pwd_encrypted[256], smtp_host[256], mail_from[256], mail_from_name[256], subject[256], + redir[256], smtp_host[256], mail_from[256], mail_from_name[256], subject[256], mail_text[1000], url[1000], error[1000]; if (isparam("login_name")) { @@ -13447,11 +13437,9 @@ void show_forgot_pwd_page(LOGBOOK * lbs) } /* create random password */ - for (i = 0; i < 8; i++) - str[i] = 'A' + (rand() % 25); - str[i] = 0; - base64_encode((unsigned char *) str, (unsigned char *) pwd, sizeof(pwd)); - do_crypt(pwd, pwd_encrypted, sizeof(pwd_encrypted)); + for (i = 0; i < 16; i++) + pwd[i] = 'A' + (rand() % 25); + pwd[i] = 0; /* send email with new password */ if (!getcfg("global", "SMTP host", smtp_host, sizeof(smtp_host))) { @@ -13515,7 +13503,7 @@ void show_forgot_pwd_page(LOGBOOK * lbs) if (sendmail(lbs, smtp_host, mail_from, user_email, mail_text, error, sizeof(error)) != -1) { /* save new password */ - auth_change_password(lbs, login_name, NULL, pwd_encrypted, str, sizeof(str)); + auth_change_password(lbs, login_name, NULL, pwd, str, sizeof(str)); /* show notification web page */ show_standard_header(lbs, FALSE, loc("ELOG password recovery"), "", FALSE, NULL, NULL); diff --git a/src/elogd.h b/src/elogd.h index 123040e9..e59f2af5 100644 --- a/src/elogd.h +++ b/src/elogd.h @@ -286,6 +286,7 @@ void show_elog_entry(LOGBOOK * lbs, char *dec_path, char *command); char *loc(char *orig); void strencode(char *text); void strencode_nouml(char *text); +char *stristr(const char *str, const char *pattern); int scan_attributes(char *logbook); int is_inline_attachment(char *encoding, int message_id, char *text, int i, char *att); int setgroup(char *str);