rusty@groan.Berkeley.EDU (Rusty Wright) (05/29/91)
Has anybody put in the fixes to make Cap 6.0 work with Ultrix 4.n
enhanced security? I made the mistake of turning on enhanced security
and it breaks any pd programs that read the password field. As an
example of some of what needs to be done, here's a little test program
to read the encrypted password entry for user "somebody". I can
probably do the work myself but I'd rather not reinvent this wheel if
someone has already done so.
# include <sys/svcinfo.h>
# include <sys/types.h>
# include <auth.h>
# include <pwd.h>
# include <stdio.h>
main() {
extern AUTHORIZATION *getauthuid();
AUTHORIZATION *au;
struct svcinfo *si;
struct passwd *pw;
if ((pw = getpwnam("somebody")) == NULL) {
fprintf(stderr, "can't get pwent for somebody\n");
exit(1);
}
if (strcmp(pw->pw_passwd, "*") == 0) {
si = getsvc();
if ((si->svcauth.seclevel == SEC_UPGRADE) ||
(si->svcauth.seclevel == SEC_ENHANCED)) {
if ((au = getauthuid(pw->pw_uid)) == NULL) {
fprintf(stderr, "getauthuid(%d) error\n",
pw->pw_uid);
exit(1);
}
pw->pw_passwd = au->a_password;
}
}
printf("%s=%s\n", pw->pw_name, pw->pw_passwd);
}rusty@groan.Berkeley.EDU (Rusty Wright) (05/29/91)
I ended up doing it myself. Here are my diffs. I only have 1 Ultrix
machine available to me; i.e., I don't have a machine running Ultrix
4.1 that's not at Enhanced Security so I can't test if this works on a
machine at BSD Security level. Seems to me it should. I also added
the following 2 lines to m4.setup:
# any special libraries
ifelse(os,[ultrix40],[
define([libspecial],concat(libspecial,[ -lauth]))])
------- afpos.c -------
*** /tmp/da07498 Tue May 28 17:40:50 1991
--- afpos.c Tue May 28 16:28:16 1991
***************
*** 2762,2767 ****
--- 2762,2770 ----
byte *pwdother;
int uam;
{
+ # ifdef ultrix
+ extern char *ultrix_crypt();
+ # endif
struct passwd *p;
boolean safedebug;
byte encrypted[8]; /* 64 bits */
***************
*** 2848,2854 ****
--- 2851,2861 ----
logit(0,"Login: user %s has a NULL password",nam);
return(aeUserNotAuth);
}
+ # ifdef ultrix
+ if (strcmp(ultrix_crypt(pwd,p),p->pw_passwd) != 0) {
+ # else
if (strcmp(crypt(pwd,p->pw_passwd),p->pw_passwd) != 0) {
+ # endif
logit(0,"Login: Incorrect password for user %s",nam);
if (!safedebug)
return(aeUserNotAuth);
***************
*** 3361,3364 ****
}
}
!
--- 3368,3418 ----
}
}
! # ifdef ultrix
! # include <sys/svcinfo.h>
! # include <auth.h>
!
! char *
! ultrix_crypt(pwd, pw)
! char *pwd;
! struct passwd *pw;
! {
! extern char *crypt(), *crypt16();
! extern AUTHORIZATION *getauthuid();
! AUTHORIZATION *au;
! struct svcinfo *si;
! char *passwd;
!
! /*
! * the asterisk means that the real encrypted password
! * is in the auth file. But we really should check to
! * see if the security level is either SEC_UPGRADE or
! * SEC_ENHANCED and the password is an asterisk because
! * the security level could be BSD and someone put an
! * asterisk in to turn an account off, but if that's the
! * case the right thing will happen here anyways (i.e.,
! * nothing encrypts to a single asterisk so the test will
! * fail).
! */
! if (strcmp(pw->pw_passwd, "*") == 0) {
! si = getsvc();
!
! if ((si->svcauth.seclevel == SEC_UPGRADE) ||
! (si->svcauth.seclevel == SEC_ENHANCED)) {
! /*
! * if they aren't in the auth file return
! * the empty string. this can't match since
! * we've already thrown out empty passwords.
! */
! if ((au = getauthuid(pw->pw_uid)) == NULL)
! return("");
!
! pw->pw_passwd = au->a_password;
! }
!
! return(crypt16(pwd, pw->pw_passwd));
! }
!
! return(crypt(pwd, pw->pw_passwd));
! }
! # endif