xref: /illumos-gate/usr/src/cmd/keyserv/keylogin.c (revision bbf21555)
17c478bd9Sstevel@tonic-gate /*
27c478bd9Sstevel@tonic-gate  * CDDL HEADER START
37c478bd9Sstevel@tonic-gate  *
47c478bd9Sstevel@tonic-gate  * The contents of this file are subject to the terms of the
5a0368f78Speteh  * Common Development and Distribution License (the "License").
6a0368f78Speteh  * You may not use this file except in compliance with the License.
77c478bd9Sstevel@tonic-gate  *
87c478bd9Sstevel@tonic-gate  * You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
97c478bd9Sstevel@tonic-gate  * or http://www.opensolaris.org/os/licensing.
107c478bd9Sstevel@tonic-gate  * See the License for the specific language governing permissions
117c478bd9Sstevel@tonic-gate  * and limitations under the License.
127c478bd9Sstevel@tonic-gate  *
137c478bd9Sstevel@tonic-gate  * When distributing Covered Code, include this CDDL HEADER in each
147c478bd9Sstevel@tonic-gate  * file and include the License file at usr/src/OPENSOLARIS.LICENSE.
157c478bd9Sstevel@tonic-gate  * If applicable, add the following below this CDDL HEADER, with the
167c478bd9Sstevel@tonic-gate  * fields enclosed by brackets "[]" replaced with your own identifying
177c478bd9Sstevel@tonic-gate  * information: Portions Copyright [yyyy] [name of copyright owner]
187c478bd9Sstevel@tonic-gate  *
197c478bd9Sstevel@tonic-gate  * CDDL HEADER END
207c478bd9Sstevel@tonic-gate  */
217c478bd9Sstevel@tonic-gate /*
22a0368f78Speteh  * Copyright 2006 Sun Microsystems, Inc.  All rights reserved.
237c478bd9Sstevel@tonic-gate  * Use is subject to license terms.
247c478bd9Sstevel@tonic-gate  */
257c478bd9Sstevel@tonic-gate 
267c478bd9Sstevel@tonic-gate /*	Copyright (c) 1984, 1986, 1987, 1988, 1989 AT&T	*/
277c478bd9Sstevel@tonic-gate /*	  All Rights Reserved  	*/
287c478bd9Sstevel@tonic-gate 
297c478bd9Sstevel@tonic-gate /*
307c478bd9Sstevel@tonic-gate  * University Copyright- Copyright (c) 1982, 1986, 1988
317c478bd9Sstevel@tonic-gate  * The Regents of the University of California
327c478bd9Sstevel@tonic-gate  * All Rights Reserved
337c478bd9Sstevel@tonic-gate  *
347c478bd9Sstevel@tonic-gate  * University Acknowledgment- Portions of this document are derived from
357c478bd9Sstevel@tonic-gate  * software developed by the University of California, Berkeley, and its
367c478bd9Sstevel@tonic-gate  * contributors.
377c478bd9Sstevel@tonic-gate  */
387c478bd9Sstevel@tonic-gate 
397c478bd9Sstevel@tonic-gate /*
407c478bd9Sstevel@tonic-gate  * Set secret key on local machine
417c478bd9Sstevel@tonic-gate  */
427c478bd9Sstevel@tonic-gate #include <stdio.h>
437c478bd9Sstevel@tonic-gate #include <rpc/rpc.h>
447c478bd9Sstevel@tonic-gate #include <rpc/key_prot.h>
457c478bd9Sstevel@tonic-gate #include <nfs/nfs.h>				/* to revoke existing creds */
467c478bd9Sstevel@tonic-gate #include <nfs/nfssys.h>
477c478bd9Sstevel@tonic-gate #include <string.h>
487c478bd9Sstevel@tonic-gate #include <rpcsvc/nis_dhext.h>
497c478bd9Sstevel@tonic-gate 
507c478bd9Sstevel@tonic-gate #define	ROOTKEY_FILE "/etc/.rootkey"
517c478bd9Sstevel@tonic-gate #define	ROOTKEY_FILE_BACKUP	"/etc/.rootkey.bak"
527c478bd9Sstevel@tonic-gate /* Should last until 16384-bit DH keys */
537c478bd9Sstevel@tonic-gate #define	MAXROOTKEY_LINE_LEN	4224
547c478bd9Sstevel@tonic-gate #define	MAXROOTKEY_LEN		4096
557c478bd9Sstevel@tonic-gate 
567c478bd9Sstevel@tonic-gate extern int key_setnet_g();
577c478bd9Sstevel@tonic-gate 
587c478bd9Sstevel@tonic-gate static void logout_curr_key();
597c478bd9Sstevel@tonic-gate static int mkrootkey;
607c478bd9Sstevel@tonic-gate 
617c478bd9Sstevel@tonic-gate static char *sec_domain = NULL;
627c478bd9Sstevel@tonic-gate static char local_domain[MAXNETNAMELEN + 1];
637c478bd9Sstevel@tonic-gate 
647c478bd9Sstevel@tonic-gate /*
657c478bd9Sstevel@tonic-gate  * fgets is broken in that if it reads a NUL character it will always return
667c478bd9Sstevel@tonic-gate  * EOF.  This replacement can deal with NULs
677c478bd9Sstevel@tonic-gate  */
687c478bd9Sstevel@tonic-gate static char *
fgets_ignorenul(char * s,int n,FILE * stream)697c478bd9Sstevel@tonic-gate fgets_ignorenul(char *s, int n, FILE *stream)
707c478bd9Sstevel@tonic-gate {
717c478bd9Sstevel@tonic-gate 	int fildes = fileno(stream);
727c478bd9Sstevel@tonic-gate 	int i = 0;
737c478bd9Sstevel@tonic-gate 	int rs = 0;
747c478bd9Sstevel@tonic-gate 	char c;
757c478bd9Sstevel@tonic-gate 
767c478bd9Sstevel@tonic-gate 	if (fildes < 0)
777c478bd9Sstevel@tonic-gate 		return (NULL);
787c478bd9Sstevel@tonic-gate 
797c478bd9Sstevel@tonic-gate 	while (i < n - 1) {
807c478bd9Sstevel@tonic-gate 		rs = read(fildes, &c, 1);
817c478bd9Sstevel@tonic-gate 		switch (rs) {
827c478bd9Sstevel@tonic-gate 		case 1:
837c478bd9Sstevel@tonic-gate 			break;
847c478bd9Sstevel@tonic-gate 		case 0:
857c478bd9Sstevel@tonic-gate 			/* EOF */
867c478bd9Sstevel@tonic-gate 			if (i > 0)
877c478bd9Sstevel@tonic-gate 				s[i] = '\0';
887c478bd9Sstevel@tonic-gate 			return (NULL);
897c478bd9Sstevel@tonic-gate 			break;
907c478bd9Sstevel@tonic-gate 		default:
917c478bd9Sstevel@tonic-gate 			return (NULL);
927c478bd9Sstevel@tonic-gate 		}
937c478bd9Sstevel@tonic-gate 		switch (c) {
947c478bd9Sstevel@tonic-gate 		case '\0':
957c478bd9Sstevel@tonic-gate 			break;
967c478bd9Sstevel@tonic-gate 		case '\n':
977c478bd9Sstevel@tonic-gate 			s[i] = c;
987c478bd9Sstevel@tonic-gate 			s[++i] = '\0';
997c478bd9Sstevel@tonic-gate 			return (s);
1007c478bd9Sstevel@tonic-gate 		default:
1017c478bd9Sstevel@tonic-gate 		if (c != '\0')
1027c478bd9Sstevel@tonic-gate 			s[i++] = c;
1037c478bd9Sstevel@tonic-gate 		}
1047c478bd9Sstevel@tonic-gate 	}
1057c478bd9Sstevel@tonic-gate 	s[i] = '\0';
1067c478bd9Sstevel@tonic-gate 	return (s);
1077c478bd9Sstevel@tonic-gate }
1087c478bd9Sstevel@tonic-gate 
1097c478bd9Sstevel@tonic-gate 
1107c478bd9Sstevel@tonic-gate /* write unencrypted secret key into root key file */
1117c478bd9Sstevel@tonic-gate static void
write_rootkey(char * secret,char * flavor,keylen_t keylen,algtype_t algtype)1127c478bd9Sstevel@tonic-gate write_rootkey(char *secret, char *flavor, keylen_t keylen, algtype_t algtype)
1137c478bd9Sstevel@tonic-gate {
1147c478bd9Sstevel@tonic-gate 	char		line[MAXROOTKEY_LINE_LEN];
1157c478bd9Sstevel@tonic-gate 	char		keyent[MAXROOTKEY_LEN];
1167c478bd9Sstevel@tonic-gate 	algtype_t	atent;
1177c478bd9Sstevel@tonic-gate 	int		rootfd, bakfd, hexkeybytes;
1187c478bd9Sstevel@tonic-gate 	bool_t		lineone = TRUE;
1197c478bd9Sstevel@tonic-gate 	bool_t		gotit = FALSE;
1207c478bd9Sstevel@tonic-gate 	FILE		*rootfile, *bakfile;
1217c478bd9Sstevel@tonic-gate 
1227c478bd9Sstevel@tonic-gate 	unlink(ROOTKEY_FILE_BACKUP);
1237c478bd9Sstevel@tonic-gate 	if ((rename(ROOTKEY_FILE, ROOTKEY_FILE_BACKUP)) < 0) {
1247c478bd9Sstevel@tonic-gate 		if ((bakfd = creat(ROOTKEY_FILE_BACKUP, 0600)) < 0) {
1257c478bd9Sstevel@tonic-gate 			perror("Could not create /etc/.rootkey.bak");
1267c478bd9Sstevel@tonic-gate 			goto rootkey_err;
1277c478bd9Sstevel@tonic-gate 		}
1287c478bd9Sstevel@tonic-gate 		close(bakfd);
1297c478bd9Sstevel@tonic-gate 	}
1307c478bd9Sstevel@tonic-gate 
1317c478bd9Sstevel@tonic-gate 	if ((rootfd = open(ROOTKEY_FILE, O_WRONLY+O_CREAT, 0600)) < 0) {
1327c478bd9Sstevel@tonic-gate 		perror("Could not open /etc/.rootkey for writing");
1337c478bd9Sstevel@tonic-gate 		fprintf(stderr,
1347c478bd9Sstevel@tonic-gate 			"Attempting to restore original /etc/.rootkey\n");
1357c478bd9Sstevel@tonic-gate 		(void) rename(ROOTKEY_FILE_BACKUP, ROOTKEY_FILE);
1367c478bd9Sstevel@tonic-gate 		goto rootkey_err;
1377c478bd9Sstevel@tonic-gate 	}
1387c478bd9Sstevel@tonic-gate 	if (!(rootfile = fdopen(rootfd, "w"))) {
1397c478bd9Sstevel@tonic-gate 		perror("Could not open /etc/.rootkey for writing");
1407c478bd9Sstevel@tonic-gate 		fprintf(stderr,
1417c478bd9Sstevel@tonic-gate 			"Attempting to restore original /etc/.rootkey\n");
1427c478bd9Sstevel@tonic-gate 		close(rootfd);
1437c478bd9Sstevel@tonic-gate 		unlink(ROOTKEY_FILE);
1447c478bd9Sstevel@tonic-gate 		rename(ROOTKEY_FILE_BACKUP, ROOTKEY_FILE);
1457c478bd9Sstevel@tonic-gate 		goto rootkey_err;
1467c478bd9Sstevel@tonic-gate 	}
1477c478bd9Sstevel@tonic-gate 	if (!(bakfile = fopen(ROOTKEY_FILE_BACKUP, "r"))) {
1487c478bd9Sstevel@tonic-gate 		perror("Could not open /etc/.rootkey.bak for reading");
1497c478bd9Sstevel@tonic-gate 		fprintf(stderr,
1507c478bd9Sstevel@tonic-gate 			"Attempting to restore original /etc/.rootkey\n");
1517c478bd9Sstevel@tonic-gate 		(void) fclose(rootfile);
1527c478bd9Sstevel@tonic-gate 		unlink(ROOTKEY_FILE);
1537c478bd9Sstevel@tonic-gate 		rename(ROOTKEY_FILE_BACKUP, ROOTKEY_FILE);
1547c478bd9Sstevel@tonic-gate 		goto rootkey_err;
1557c478bd9Sstevel@tonic-gate 	}
1567c478bd9Sstevel@tonic-gate 
1577c478bd9Sstevel@tonic-gate 	hexkeybytes = ((keylen + 7) / 8) * 2;
1587c478bd9Sstevel@tonic-gate 
1597c478bd9Sstevel@tonic-gate 	while (fgets_ignorenul(line, MAXROOTKEY_LINE_LEN, bakfile)) {
160a0368f78Speteh 		if (sscanf(line, "%s %d", keyent, &atent) < 2) {
161a0368f78Speteh 			/*
162a0368f78Speteh 			 * No encryption algorithm found in the file
163a0368f78Speteh 			 * (atent) so default to DES.
164a0368f78Speteh 			 */
165a0368f78Speteh 			atent = AUTH_DES_ALGTYPE;
166a0368f78Speteh 		}
1677c478bd9Sstevel@tonic-gate 		/*
1687c478bd9Sstevel@tonic-gate 		 * 192-bit keys always go on the first line
1697c478bd9Sstevel@tonic-gate 		 */
1707c478bd9Sstevel@tonic-gate 		if (lineone) {
1717c478bd9Sstevel@tonic-gate 			lineone = FALSE;
1727c478bd9Sstevel@tonic-gate 			if (keylen == 192) {
1737c478bd9Sstevel@tonic-gate 				gotit = TRUE;
1747c478bd9Sstevel@tonic-gate 				fprintf(rootfile, "%s\n", secret);
1757c478bd9Sstevel@tonic-gate 			} else
1767c478bd9Sstevel@tonic-gate 				fprintf(rootfile, "%s", line);
1777c478bd9Sstevel@tonic-gate 			(void) fflush(rootfile);
1787c478bd9Sstevel@tonic-gate 		} else {
1797c478bd9Sstevel@tonic-gate 			if ((strlen(keyent) == hexkeybytes) &&
1807c478bd9Sstevel@tonic-gate 			    (atent == algtype)) {
1817c478bd9Sstevel@tonic-gate 				/*
1827c478bd9Sstevel@tonic-gate 				 * Silently remove lines with the same
1837c478bd9Sstevel@tonic-gate 				 * keylen/algtype
1847c478bd9Sstevel@tonic-gate 				 */
1857c478bd9Sstevel@tonic-gate 				if (gotit)
1867c478bd9Sstevel@tonic-gate 					continue;
1877c478bd9Sstevel@tonic-gate 				else
1887c478bd9Sstevel@tonic-gate 					gotit = TRUE;
1897c478bd9Sstevel@tonic-gate 
1907c478bd9Sstevel@tonic-gate 				fprintf(rootfile, "%s %d\n", secret, algtype);
1917c478bd9Sstevel@tonic-gate 			} else
1927c478bd9Sstevel@tonic-gate 				fprintf(rootfile, "%s", line);
1937c478bd9Sstevel@tonic-gate 			(void) fflush(rootfile);
1947c478bd9Sstevel@tonic-gate 		}
1957c478bd9Sstevel@tonic-gate 	}
1967c478bd9Sstevel@tonic-gate 
1977c478bd9Sstevel@tonic-gate 	/* Append key to rootkey file */
1987c478bd9Sstevel@tonic-gate 	if (!gotit) {
1997c478bd9Sstevel@tonic-gate 		if (keylen == 192)
2007c478bd9Sstevel@tonic-gate 			fprintf(rootfile, "%s\n", secret);
2017c478bd9Sstevel@tonic-gate 		else {
2027c478bd9Sstevel@tonic-gate 			if (lineone)
2037c478bd9Sstevel@tonic-gate 				fprintf(rootfile, "\n");
2047c478bd9Sstevel@tonic-gate 			fprintf(rootfile, "%s %d\n", secret, algtype);
2057c478bd9Sstevel@tonic-gate 		}
2067c478bd9Sstevel@tonic-gate 	}
2077c478bd9Sstevel@tonic-gate 	(void) fflush(rootfile);
2087c478bd9Sstevel@tonic-gate 	fclose(rootfile);
2097c478bd9Sstevel@tonic-gate 	fclose(bakfile);
2107c478bd9Sstevel@tonic-gate 	unlink(ROOTKEY_FILE_BACKUP);
2117c478bd9Sstevel@tonic-gate 	if (keylen == 192)
2127c478bd9Sstevel@tonic-gate 		fprintf(stderr, "Wrote secret key into %s\n", ROOTKEY_FILE);
2137c478bd9Sstevel@tonic-gate 	else
2147c478bd9Sstevel@tonic-gate 		fprintf(stderr, "Wrote %s key into %s\n", flavor,
2157c478bd9Sstevel@tonic-gate 			ROOTKEY_FILE);
2167c478bd9Sstevel@tonic-gate 	return;
2177c478bd9Sstevel@tonic-gate 
2187c478bd9Sstevel@tonic-gate rootkey_err:
2197c478bd9Sstevel@tonic-gate 	fprintf(stderr, "WARNING: Could not write %s key to /etc/.rootkey\n",
2207c478bd9Sstevel@tonic-gate 		flavor);
2217c478bd9Sstevel@tonic-gate }
2227c478bd9Sstevel@tonic-gate 
2237c478bd9Sstevel@tonic-gate /* Perform AUTH_DES keylogin */
2247c478bd9Sstevel@tonic-gate static int
oldkeylogin(char * fullname,char * pass)2257c478bd9Sstevel@tonic-gate oldkeylogin(char *fullname, char *pass)
2267c478bd9Sstevel@tonic-gate {
2277c478bd9Sstevel@tonic-gate 	char			secret[HEXKEYBYTES+1];
2287c478bd9Sstevel@tonic-gate 	struct key_netstarg	netst;
2297c478bd9Sstevel@tonic-gate 
2307c478bd9Sstevel@tonic-gate 		if (getsecretkey(fullname, secret, pass) == 0) {
2317c478bd9Sstevel@tonic-gate 			fprintf(stderr, "Could not find %s's secret key\n",
2327c478bd9Sstevel@tonic-gate 				fullname);
2337c478bd9Sstevel@tonic-gate 			if (sec_domain && *sec_domain &&
2347c478bd9Sstevel@tonic-gate 				strcasecmp(sec_domain, local_domain)) {
2357c478bd9Sstevel@tonic-gate 				fprintf(stderr,
2367c478bd9Sstevel@tonic-gate "The system default domain '%s' is different from the Secure RPC\n\
2377c478bd9Sstevel@tonic-gate domain %s where the key is stored.  The Secure RPC domainname is\n\
2387c478bd9Sstevel@tonic-gate defined by the directory object stored in the /var/nis/NIS_COLD_START file.\n\
239*bbf21555SRichard Lowe If you need to change this Secure RPC domainname, please use the nisinit(8)\n\
2407c478bd9Sstevel@tonic-gate command with the `-k` option.\n", local_domain, sec_domain);
2417c478bd9Sstevel@tonic-gate 			} else {
2427c478bd9Sstevel@tonic-gate 				fprintf(stderr,
2437c478bd9Sstevel@tonic-gate 		"Make sure the secret key is stored in domain %s\n",
2447c478bd9Sstevel@tonic-gate 				local_domain);
2457c478bd9Sstevel@tonic-gate 			}
2467c478bd9Sstevel@tonic-gate 			return (1);
2477c478bd9Sstevel@tonic-gate 		}
2487c478bd9Sstevel@tonic-gate 
2497c478bd9Sstevel@tonic-gate 		if (secret[0] == 0) {
2507c478bd9Sstevel@tonic-gate 			fprintf(stderr, "Password incorrect for %s\n",
2517c478bd9Sstevel@tonic-gate 				fullname);
2527c478bd9Sstevel@tonic-gate 			return (1);
2537c478bd9Sstevel@tonic-gate 		}
2547c478bd9Sstevel@tonic-gate 		/* revoke any existing (lingering) credentials... */
2557c478bd9Sstevel@tonic-gate 		logout_curr_key();
2567c478bd9Sstevel@tonic-gate 
2577c478bd9Sstevel@tonic-gate 		memcpy(netst.st_priv_key, secret, HEXKEYBYTES);
2587c478bd9Sstevel@tonic-gate 		memset(secret, 0, HEXKEYBYTES);
2597c478bd9Sstevel@tonic-gate 
2607c478bd9Sstevel@tonic-gate 		netst.st_pub_key[0] = 0;
2617c478bd9Sstevel@tonic-gate 		netst.st_netname = strdup(fullname);
2627c478bd9Sstevel@tonic-gate 
2637c478bd9Sstevel@tonic-gate 		/* do actual key login */
2647c478bd9Sstevel@tonic-gate 		if (key_setnet(&netst) < 0) {
2657c478bd9Sstevel@tonic-gate 			fprintf(stderr, "Could not set %s's secret key\n",
2667c478bd9Sstevel@tonic-gate 				fullname);
2677c478bd9Sstevel@tonic-gate 			fprintf(stderr, "May be the keyserv is down?\n");
2687c478bd9Sstevel@tonic-gate 			if (mkrootkey == 0)   /* nothing else to do */
2697c478bd9Sstevel@tonic-gate 				return (1);
2707c478bd9Sstevel@tonic-gate 		}
2717c478bd9Sstevel@tonic-gate 
2727c478bd9Sstevel@tonic-gate 		/* write unencrypted secret key into root key file */
2737c478bd9Sstevel@tonic-gate 		if (mkrootkey)
2747c478bd9Sstevel@tonic-gate 			write_rootkey(netst.st_priv_key, "des", 192, 0);
2757c478bd9Sstevel@tonic-gate 
2767c478bd9Sstevel@tonic-gate 		return (0);
2777c478bd9Sstevel@tonic-gate }
2787c478bd9Sstevel@tonic-gate 
2797c478bd9Sstevel@tonic-gate /*
2807c478bd9Sstevel@tonic-gate  * Revokes the existing credentials for Secure-RPC and Secure-NFS.
2817c478bd9Sstevel@tonic-gate  * This should only be called if the user entered the correct password;
2827c478bd9Sstevel@tonic-gate  * sorta like the way "su" doesn't force a login if you enter the wrong
2837c478bd9Sstevel@tonic-gate  * password.
2847c478bd9Sstevel@tonic-gate  */
2857c478bd9Sstevel@tonic-gate 
2867c478bd9Sstevel@tonic-gate static void
logout_curr_key()2877c478bd9Sstevel@tonic-gate logout_curr_key()
2887c478bd9Sstevel@tonic-gate {
2897c478bd9Sstevel@tonic-gate 	static char		secret[HEXKEYBYTES + 1];
2907c478bd9Sstevel@tonic-gate 	struct nfs_revauth_args	nra;
2917c478bd9Sstevel@tonic-gate 
2927c478bd9Sstevel@tonic-gate 	/*
2937c478bd9Sstevel@tonic-gate 	 * try to revoke the existing key/credentials, assuming
2947c478bd9Sstevel@tonic-gate 	 * one exists.  this will effectively mark "stale" any
2957c478bd9Sstevel@tonic-gate 	 * cached credientials...
2967c478bd9Sstevel@tonic-gate 	 */
2977c478bd9Sstevel@tonic-gate 	if (key_setsecret(secret) < 0) {
2987c478bd9Sstevel@tonic-gate 		return;
2997c478bd9Sstevel@tonic-gate 	}
3007c478bd9Sstevel@tonic-gate 
3017c478bd9Sstevel@tonic-gate 	/*
3027c478bd9Sstevel@tonic-gate 	 * it looks like a credential already existed, so try and
3037c478bd9Sstevel@tonic-gate 	 * revoke any lingering Secure-NFS privledges.
3047c478bd9Sstevel@tonic-gate 	 */
3057c478bd9Sstevel@tonic-gate 
3067c478bd9Sstevel@tonic-gate 	nra.authtype = AUTH_DES;
3077c478bd9Sstevel@tonic-gate 	nra.uid = getuid();
3087c478bd9Sstevel@tonic-gate 
3097c478bd9Sstevel@tonic-gate 	(void) _nfssys(NFS_REVAUTH, &nra);
3107c478bd9Sstevel@tonic-gate }
3117c478bd9Sstevel@tonic-gate 
3127c478bd9Sstevel@tonic-gate void
usage(cmd)3137c478bd9Sstevel@tonic-gate usage(cmd)
3147c478bd9Sstevel@tonic-gate 	char *cmd;
3157c478bd9Sstevel@tonic-gate {
3167c478bd9Sstevel@tonic-gate 	fprintf(stderr, "usage: %s [-r]\n", cmd);
3177c478bd9Sstevel@tonic-gate 	exit(1);
3187c478bd9Sstevel@tonic-gate }
3197c478bd9Sstevel@tonic-gate 
3207c478bd9Sstevel@tonic-gate 
32149e7ca49Speteh int
main(int argc,char * argv[])32249e7ca49Speteh main(int argc, char *argv[])
3237c478bd9Sstevel@tonic-gate {
3247c478bd9Sstevel@tonic-gate 	char		secret[4096];
3257c478bd9Sstevel@tonic-gate 	char		fullname[MAXNETNAMELEN + 1];
3267c478bd9Sstevel@tonic-gate 	char		*getpass();
3277c478bd9Sstevel@tonic-gate 	char		*pass;
3287c478bd9Sstevel@tonic-gate 	int		i = 0;
3297c478bd9Sstevel@tonic-gate 	mechanism_t	**mechlist;
3307c478bd9Sstevel@tonic-gate 
3317c478bd9Sstevel@tonic-gate 	if (argc == 1)
3327c478bd9Sstevel@tonic-gate 		mkrootkey = 0;
3337c478bd9Sstevel@tonic-gate 	else if (argc == 2 && (strcmp(argv[1], "-r") == 0)) {
3347c478bd9Sstevel@tonic-gate 		if (geteuid() != 0) {
3357c478bd9Sstevel@tonic-gate 			fprintf(stderr, "Must be root to use -r option.\n");
3367c478bd9Sstevel@tonic-gate 			exit(1);
3377c478bd9Sstevel@tonic-gate 		}
3387c478bd9Sstevel@tonic-gate 		mkrootkey = 1;
3397c478bd9Sstevel@tonic-gate 	} else
3407c478bd9Sstevel@tonic-gate 		usage(argv[0]);
3417c478bd9Sstevel@tonic-gate 
3427c478bd9Sstevel@tonic-gate 	if (getnetname(fullname) == 0) {
3437c478bd9Sstevel@tonic-gate 		fprintf(stderr, "Could not generate netname\n");
3447c478bd9Sstevel@tonic-gate 		exit(1);
3457c478bd9Sstevel@tonic-gate 	}
3467c478bd9Sstevel@tonic-gate 	sec_domain = strdup(strchr(fullname, '@') + 1);
3477c478bd9Sstevel@tonic-gate 	getdomainname(local_domain, MAXNETNAMELEN);
3487c478bd9Sstevel@tonic-gate 
3497c478bd9Sstevel@tonic-gate 	if (!(pass = getpass("Password:")))
3507c478bd9Sstevel@tonic-gate 		exit(1);
3517c478bd9Sstevel@tonic-gate 
3527c478bd9Sstevel@tonic-gate 	if (mechlist = __nis_get_mechanisms(FALSE)) {
3537c478bd9Sstevel@tonic-gate 		while (mechlist[i]) {
3547c478bd9Sstevel@tonic-gate 			char		*alias;
3557c478bd9Sstevel@tonic-gate 
3567c478bd9Sstevel@tonic-gate 			if (AUTH_DES_COMPAT_CHK(mechlist[i])) {
3577c478bd9Sstevel@tonic-gate 				(void) oldkeylogin(fullname, pass);
3587c478bd9Sstevel@tonic-gate 				i++;
3597c478bd9Sstevel@tonic-gate 				continue;
3607c478bd9Sstevel@tonic-gate 			}
3617c478bd9Sstevel@tonic-gate 
3627c478bd9Sstevel@tonic-gate 			if (VALID_ALIAS(mechlist[i]->alias))
3637c478bd9Sstevel@tonic-gate 				alias = mechlist[i]->alias;
3647c478bd9Sstevel@tonic-gate 			else
3657c478bd9Sstevel@tonic-gate 				alias = "";
3667c478bd9Sstevel@tonic-gate 
3677c478bd9Sstevel@tonic-gate 			if (getsecretkey_g(fullname, mechlist[i]->keylen,
3687c478bd9Sstevel@tonic-gate 						mechlist[i]->algtype, secret,
3697c478bd9Sstevel@tonic-gate 						(((mechlist[i]->keylen / 7) +
3707c478bd9Sstevel@tonic-gate 						8) * 2) + 1, pass) == 0) {
3717c478bd9Sstevel@tonic-gate 				fprintf(stderr,
3727c478bd9Sstevel@tonic-gate 				"WARNING: Could not find %s's %s secret key\n",
3737c478bd9Sstevel@tonic-gate 					fullname, alias);
3747c478bd9Sstevel@tonic-gate 				i++;
3757c478bd9Sstevel@tonic-gate 				continue;
3767c478bd9Sstevel@tonic-gate 			}
3777c478bd9Sstevel@tonic-gate 
3787c478bd9Sstevel@tonic-gate 			if (secret[0] == 0) {
3797c478bd9Sstevel@tonic-gate 				fprintf(stderr,
3807c478bd9Sstevel@tonic-gate 				    "Password incorrect for %s's %s key.\n",
3817c478bd9Sstevel@tonic-gate 					fullname, alias);
3827c478bd9Sstevel@tonic-gate 				i++;
3837c478bd9Sstevel@tonic-gate 				continue;
3847c478bd9Sstevel@tonic-gate 			}
3857c478bd9Sstevel@tonic-gate 
3867c478bd9Sstevel@tonic-gate 			if (key_setnet_g(fullname, secret,
3877c478bd9Sstevel@tonic-gate 						mechlist[i]->keylen, NULL, 0,
3887c478bd9Sstevel@tonic-gate 						mechlist[i]->algtype) < 0) {
3897c478bd9Sstevel@tonic-gate 				fprintf(stderr,
3907c478bd9Sstevel@tonic-gate 				"Could not set %s's %s secret key\n",
3917c478bd9Sstevel@tonic-gate 					fullname, alias);
3927c478bd9Sstevel@tonic-gate 				fprintf(stderr,
3937c478bd9Sstevel@tonic-gate 					"May be the keyserv is down?\n");
3947c478bd9Sstevel@tonic-gate 				exit(1);
3957c478bd9Sstevel@tonic-gate 			}
3967c478bd9Sstevel@tonic-gate 
3977c478bd9Sstevel@tonic-gate 			if (mkrootkey)
3987c478bd9Sstevel@tonic-gate 				write_rootkey(secret, mechlist[i]->alias,
3997c478bd9Sstevel@tonic-gate 						mechlist[i]->keylen,
4007c478bd9Sstevel@tonic-gate 						mechlist[i]->algtype);
4017c478bd9Sstevel@tonic-gate 			i++;
4027c478bd9Sstevel@tonic-gate 		}
4037c478bd9Sstevel@tonic-gate 	} else
4047c478bd9Sstevel@tonic-gate 		exit(oldkeylogin(fullname, pass));
4057c478bd9Sstevel@tonic-gate 
40649e7ca49Speteh 	return (0);
4077c478bd9Sstevel@tonic-gate }
408