diff --git a/usr.bin/chkey/chkey.1 b/usr.bin/chkey/chkey.1 index 508227ba9601..e754d676e5d1 100644 --- a/usr.bin/chkey/chkey.1 +++ b/usr.bin/chkey/chkey.1 @@ -1,28 +1,33 @@ .\" @(#)chkey.1 1.5 91/03/11 TIRPC 1.0; .\" Copyright (c) 1988 Sun Microsystems, Inc. - All Rights Reserved. .\" .Dd July 5, 1989 .Dt CHKEY 1 .Os .Sh NAME .Nm chkey .Nd change your encryption key .Sh SYNOPSIS .Nm .Sh DEPRECATION NOTICE .Nm is deprecated and is not available as of .Fx 15.0. .Sh DESCRIPTION The .Nm utility prompts the user for their login password, and uses it to encrypt a new encryption key for the user to be stored in the .Xr publickey 5 database. .Sh "SEE ALSO" .Xr keylogin 1 , .Xr publickey 5 , .Xr keyserv 8 , .Xr newkey 8 +.Sh HISTORY +The +.Nm +utility was removed from +.Fx 15.0 . diff --git a/usr.bin/chkey/chkey.c b/usr.bin/chkey/chkey.c index afacae4d0f75..922a16b5b227 100644 --- a/usr.bin/chkey/chkey.c +++ b/usr.bin/chkey/chkey.c @@ -1,272 +1,273 @@ /* * Sun RPC is a product of Sun Microsystems, Inc. and is provided for * unrestricted use provided that this legend is included on all tape * media and as a part of the software program in whole or part. Users * may copy or modify Sun RPC without charge, but are not authorized * to license or distribute it to anyone else except as part of a product or * program developed by the user or with the express written consent of * Sun Microsystems, Inc. * * SUN RPC IS PROVIDED AS IS WITH NO WARRANTIES OF ANY KIND INCLUDING THE * WARRANTIES OF DESIGN, MERCHANTABILITY AND FITNESS FOR A PARTICULAR * PURPOSE, OR ARISING FROM A COURSE OF DEALING, USAGE OR TRADE PRACTICE. * * Sun RPC is provided with no support and without any obligation on the * part of Sun Microsystems, Inc. to assist in its use, correction, * modification or enhancement. * * SUN MICROSYSTEMS, INC. SHALL HAVE NO LIABILITY WITH RESPECT TO THE * INFRINGEMENT OF COPYRIGHTS, TRADE SECRETS OR ANY PATENTS BY SUN RPC * OR ANY PART THEREOF. * * In no event will Sun Microsystems, Inc. be liable for any lost revenue * or profits or other special, indirect and consequential damages, even if * Sun has been advised of the possibility of such damages. * * Sun Microsystems, Inc. * 2550 Garcia Avenue * Mountain View, California 94043 */ #if 0 #ifndef lint static char sccsid[] = "@(#)chkey.c 1.7 91/03/11 Copyr 1986 Sun Micro"; #endif #endif #include /* * Copyright (C) 1986, Sun Microsystems, Inc. */ /* * Command to change one's public key in the public key database */ #include #include #ifdef YP #include #include #else #define YPOP_STORE 4 #endif #include #include #include #include #include #include #include #include "extern.h" #ifdef YPPASSWD struct passwd *ypgetpwuid(uid_t); #endif #ifdef YP static char *domain; static char PKMAP[] = "publickey.byname"; #else static char PKFILE[] = "/etc/publickey"; #endif /* YP */ static char ROOTKEY[] = "/etc/.rootkey"; static void usage(void) __dead2; extern int yp_update(char *, char *, int, char *, size_t, char *, size_t); int main(int argc, char **argv) { char name[MAXNETNAMELEN+1]; char public[HEXKEYBYTES + 1]; char secret[HEXKEYBYTES + 1]; char crypt1[HEXKEYBYTES + KEYCHECKSUMSIZE + 1]; char crypt2[HEXKEYBYTES + KEYCHECKSUMSIZE + 1]; int status; char *pass; struct passwd *pw; uid_t uid; int force = 0; int ch; #ifdef YP char *master; #endif #ifdef YPPASSWD char *cryptpw; #endif + fprintf(stderr, "chkey is deprecated and removed from FreeBSD 15.\n"); while ((ch = getopt(argc, argv, "f")) != -1) switch(ch) { case 'f': force = 1; break; default: usage(); } argc -= optind; argv += optind; if (argc != 0) usage(); #ifdef YP (void)yp_get_default_domain(&domain); if (yp_master(domain, PKMAP, &master) != 0) errx(1, "can't find master of publickey database"); #endif uid = getuid() /*geteuid()*/; if (uid == 0) { if (host2netname(name, NULL, NULL) == 0) errx(1, "cannot convert hostname to netname"); } else { if (user2netname(name, uid, NULL) == 0) errx(1, "cannot convert username to netname"); } (void)printf("Generating new key for %s.\n", name); if (!force) { if (uid != 0) { #ifdef YPPASSWD pw = ypgetpwuid(uid); #else pw = getpwuid(uid); #endif if (pw == NULL) { #ifdef YPPASSWD errx(1, "no NIS password entry found: can't change key"); #else errx(1, "no password entry found: can't change key"); #endif } } else { pw = getpwuid(0); if (pw == NULL) errx(1, "no password entry found: can't change key"); } } pass = getpass("Password:"); #ifdef YPPASSWD if (!force) { cryptpw = crypt(pass, pw->pw_passwd); if (cryptpw == NULL || strcmp(cryptpw, pw->pw_passwd) != 0) errx(1, "invalid password"); } #else force = 1; /* Make this mandatory */ #endif genkeys(public, secret, pass); memcpy(crypt1, secret, HEXKEYBYTES); memcpy(crypt1 + HEXKEYBYTES, secret, KEYCHECKSUMSIZE); crypt1[HEXKEYBYTES + KEYCHECKSUMSIZE] = 0; xencrypt(crypt1, pass); if (force) { memcpy(crypt2, crypt1, HEXKEYBYTES + KEYCHECKSUMSIZE + 1); xdecrypt(crypt2, getpass("Retype password:")); if (memcmp(crypt2, crypt2 + HEXKEYBYTES, KEYCHECKSUMSIZE) != 0 || memcmp(crypt2, secret, HEXKEYBYTES) != 0) errx(1, "password incorrect"); } #ifdef YP (void)printf("Sending key change request to %s...\n", master); #endif status = setpublicmap(name, public, crypt1); if (status != 0) { #ifdef YP errx(1, "unable to update NIS database (%u): %s", status, yperr_string(status)); #else errx(1, "unable to update publickey database"); #endif } if (uid == 0) { /* * Root users store their key in /etc/$ROOTKEY so * that they can auto reboot without having to be * around to type a password. Storing this in a file * is rather dubious: it should really be in the EEPROM * so it does not go over the net. */ int fd; fd = open(ROOTKEY, O_WRONLY|O_TRUNC|O_CREAT, 0); if (fd < 0) { warn("%s", ROOTKEY); } else { char newline = '\n'; if (write(fd, secret, strlen(secret)) < 0 || write(fd, &newline, sizeof(newline)) < 0) warn("%s: write", ROOTKEY); } close(fd); } if (key_setsecret(secret) < 0) errx(1, "unable to login with new secret key"); (void)printf("Done.\n"); exit(0); /* NOTREACHED */ } static void usage(void) { (void)fprintf(stderr, "usage: chkey [-f]\n"); exit(1); /* NOTREACHED */ } /* * Set the entry in the public key file */ int setpublicmap(char *name, char *public, char *secret) { char pkent[1024]; (void)sprintf(pkent,"%s:%s", public, secret); #ifdef YP return (yp_update(domain, PKMAP, YPOP_STORE, name, strlen(name), pkent, strlen(pkent))); #else return (localupdate(name, PKFILE, YPOP_STORE, strlen(name), name, strlen(pkent), pkent)); #endif } #ifdef YPPASSWD struct passwd * ypgetpwuid(uid_t uid) { char uidstr[10]; char *val; int vallen; static struct passwd pw; char *p; (void)sprintf(uidstr, "%d", uid); if (yp_match(domain, "passwd.byuid", uidstr, strlen(uidstr), &val, &vallen) != 0) { return (NULL); } p = strchr(val, ':'); if (p == NULL) { return (NULL); } pw.pw_passwd = p + 1; p = strchr(pw.pw_passwd, ':'); if (p == NULL) { return (NULL); } *p = 0; return (&pw); } #endif /* YPPASSWD */ diff --git a/usr.bin/keylogin/keylogin.1 b/usr.bin/keylogin/keylogin.1 index 32a3e8e1b5b4..69b59cb68c5e 100644 --- a/usr.bin/keylogin/keylogin.1 +++ b/usr.bin/keylogin/keylogin.1 @@ -1,33 +1,38 @@ .\" @(#)keylogin.1 1.5 91/03/11 TIRPC 1.0; .\" Copyright (c) 1988 Sun Microsystems, Inc. - All Rights Reserved. .\" .Dd September 9, 1987 .Dt KEYLOGIN 1 .Os .Sh NAME .Nm keylogin .Nd decrypt and store secret key .Sh SYNOPSIS .Nm .Sh DEPRECATION NOTICE .Nm is deprecated and is not available as of .Fx 15.0. .Sh DESCRIPTION The .Nm utility prompts the user for their login password, and uses it to decrypt the user's secret key stored in the .Xr publickey 5 database. Once decrypted, the user's key is stored by the local key server process .Xr keyserv 8 to be used by any secure network services, such as NFS. .Sh SEE ALSO .Xr chkey 1 , .Xr keylogout 1 , .Xr login 1 , .Xr publickey 5 , .Xr keyserv 8 , .Xr newkey 8 +.Sh HISTORY +The +.Nm +utility was removed from +.Fx 15.0 . diff --git a/usr.bin/keylogin/keylogin.c b/usr.bin/keylogin/keylogin.c index 021935163a1d..c8a4206df3b3 100644 --- a/usr.bin/keylogin/keylogin.c +++ b/usr.bin/keylogin/keylogin.c @@ -1,83 +1,84 @@ /* * Sun RPC is a product of Sun Microsystems, Inc. and is provided for * unrestricted use provided that this legend is included on all tape * media and as a part of the software program in whole or part. Users * may copy or modify Sun RPC without charge, but are not authorized * to license or distribute it to anyone else except as part of a product or * program developed by the user or with the express written consent of * Sun Microsystems, Inc. * * SUN RPC IS PROVIDED AS IS WITH NO WARRANTIES OF ANY KIND INCLUDING THE * WARRANTIES OF DESIGN, MERCHANTIBILITY AND FITNESS FOR A PARTICULAR * PURPOSE, OR ARISING FROM A COURSE OF DEALING, USAGE OR TRADE PRACTICE. * * Sun RPC is provided with no support and without any obligation on the * part of Sun Microsystems, Inc. to assist in its use, correction, * modification or enhancement. * * SUN MICROSYSTEMS, INC. SHALL HAVE NO LIABILITY WITH RESPECT TO THE * INFRINGEMENT OF COPYRIGHTS, TRADE SECRETS OR ANY PATENTS BY SUN RPC * OR ANY PART THEREOF. * * In no event will Sun Microsystems, Inc. be liable for any lost revenue * or profits or other special, indirect and consequential damages, even if * Sun has been advised of the possibility of such damages. * * Sun Microsystems, Inc. * 2550 Garcia Avenue * Mountain View, California 94043 */ #if !defined(lint) && defined(SCCSIDS) static char sccsid[] = "@(#)keylogin.c 1.4 91/03/11 Copyr 1986 Sun Micro"; #endif #include /* * Copyright (C) 1986, Sun Microsystems, Inc. */ /* * Set secret key on local machine */ #include #include #include #include #include #include #include extern int key_setnet(struct key_netstarg *); int main(void) { char fullname[MAXNETNAMELEN + 1]; struct key_netstarg netst; + fprintf(stderr, "keylogin is deprecated and removed from FreeBSD 15.\n"); if (!getnetname(fullname)) { fprintf(stderr, "netname lookup failed -- make sure the "); fprintf(stderr, "system domain name is set.\n"); exit(1); } if (! getsecretkey(fullname, (char *)&(netst.st_priv_key), getpass("Password:"))) { fprintf(stderr, "Can't find %s's secret key\n", fullname); exit(1); } if (netst.st_priv_key[0] == 0) { fprintf(stderr, "Password incorrect for %s\n", fullname); exit(1); } netst.st_pub_key[0] = 0; netst.st_netname = strdup(fullname); if (key_setnet(&netst) < 0) { fprintf(stderr, "Could not set %s's secret key\n", fullname); fprintf(stderr, "Maybe the keyserver is down?\n"); exit(1); } exit(0); /* NOTREACHED */ } diff --git a/usr.bin/keylogout/keylogout.1 b/usr.bin/keylogout/keylogout.1 index 1480a83aece5..b2d0071416ef 100644 --- a/usr.bin/keylogout/keylogout.1 +++ b/usr.bin/keylogout/keylogout.1 @@ -1,45 +1,50 @@ .\" @(#)keylogout.1 1.4 91/03/11 TIRPC 1.0; from 1.3 89/07/26 SMI; .Dd April 15, 1989 .Dt KEYLOGOUT 1 .Os .Sh NAME .Nm keylogout .Nd delete stored secret key .Sh SYNOPSIS .Nm .Op Fl f .Sh DEPRECATION NOTICE .Nm is deprecated and is not available as of .Fx 15.0. .Sh DESCRIPTION The .Nm utility deletes the key stored by the key server process .Xr keyserv 8 to be used by any secure network services, such as NFS. Further access to the key is revoked, however current session keys may remain valid till they expire, or are refreshed. This option will cause any background jobs that need secure RPC services to fail, and any scheduled .Nm at jobs that need the key to fail. Also since only one copy is kept on a machine of the key, it is a bad idea to place this in your .Pa .logout file since it will affect other sessions on the same machine. .Pp The following option is available: .Bl -tag -width indent .It Fl f Forget the rootkey. This will break secure NFS if it is done on a server. .El .Sh SEE ALSO .Xr chkey 1 , .Xr keylogin 1 , .Xr login 1 , .Xr publickey 5 , .Xr keyserv 8 , .Xr newkey 8 +.Sh HISTORY +The +.Nm +utility was removed from +.Fx 15.0 . diff --git a/usr.bin/keylogout/keylogout.c b/usr.bin/keylogout/keylogout.c index 03eeee0f6417..faad41462340 100644 --- a/usr.bin/keylogout/keylogout.c +++ b/usr.bin/keylogout/keylogout.c @@ -1,67 +1,68 @@ /* * Sun RPC is a product of Sun Microsystems, Inc. and is provided for * unrestricted use provided that this legend is included on all tape * media and as a part of the software program in whole or part. Users * may copy or modify Sun RPC without charge, but are not authorized * to license or distribute it to anyone else except as part of a product or * program developed by the user or with the express written consent of * Sun Microsystems, Inc. * * SUN RPC IS PROVIDED AS IS WITH NO WARRANTIES OF ANY KIND INCLUDING THE * WARRANTIES OF DESIGN, MERCHANTIBILITY AND FITNESS FOR A PARTICULAR * PURPOSE, OR ARISING FROM A COURSE OF DEALING, USAGE OR TRADE PRACTICE. * * Sun RPC is provided with no support and without any obligation on the * part of Sun Microsystems, Inc. to assist in its use, correction, * modification or enhancement. * * SUN MICROSYSTEMS, INC. SHALL HAVE NO LIABILITY WITH RESPECT TO THE * INFRINGEMENT OF COPYRIGHTS, TRADE SECRETS OR ANY PATENTS BY SUN RPC * OR ANY PART THEREOF. * * In no event will Sun Microsystems, Inc. be liable for any lost revenue * or profits or other special, indirect and consequential damages, even if * Sun has been advised of the possibility of such damages. * * Sun Microsystems, Inc. * 2550 Garcia Avenue * Mountain View, California 94043 */ /* * Copyright (C) 1986, Sun Microsystems, Inc. */ #include /* * unset the secret key on local machine */ #include #include #include #include #include int main(int argc, char **argv) { static char secret[HEXKEYBYTES + 1]; + fprintf(stderr, "keylogin is deprecated and removed from FreeBSD 15.\n"); if (geteuid() == 0) { if ((argc != 2 ) || (strcmp(argv[1], "-f") != 0)) { fprintf(stderr, "keylogout by root would break all servers that use secure rpc!\n"); fprintf(stderr, "root may use keylogout -f to do this (at your own risk)!\n"); exit(1); } } if (key_setsecret(secret) < 0) { fprintf(stderr, "Could not unset your secret key.\n"); fprintf(stderr, "Maybe the keyserver is down?\n"); exit(1); } exit(0); /* NOTREACHED */ } diff --git a/usr.bin/newkey/newkey.8 b/usr.bin/newkey/newkey.8 index 51dca6688bd0..294198c50972 100644 --- a/usr.bin/newkey/newkey.8 +++ b/usr.bin/newkey/newkey.8 @@ -1,62 +1,67 @@ .\" @(#)newkey.8 1.3 91/03/11 TIRPC 1.0; from 1.12 90/02/03 SMI; .Dd October 12, 1987 .Dt NEWKEY 8 .Os .Sh NAME .Nm newkey .Nd create a new key in the publickey database .Sh SYNOPSIS .Nm .Fl h Ar hostname .Nm .Fl u Ar username .Sh DEPRECATION NOTICE .Nm is deprecated and is not available as of .Fx 15.0. .Sh DESCRIPTION The .Nm utility is normally run by the network administrator on the Network Interface Service .Pq NIS master machine in order to establish public keys for users and super-users on the network. These keys are needed for using secure RPC or secure NFS . .Pp The .Nm utility will prompt for the login password of the given username and then create a new public/secret key pair in .Pa /etc/publickey encrypted with the login password of the given user. .Pp Use of this program is not required: users may create their own keys using .Xr chkey 1 . .Sh OPTIONS .Bl -tag -width indent .It Fl h Ar hostname Create a new public key for the super-user at the given hostname. Prompts for the root password of the given hostname. .It Fl u Ar username Create a new public key for the given username. Prompts for the NIS password of the given username. .El .Sh SEE ALSO .Xr chkey 1 , .Xr keylogin 1 , .Xr publickey 5 , .Xr keyserv 8 +.Sh HISTORY +The +.Nm +utility was removed from +.Fx 15.0 . .Sh NOTES The Network Information Service .Pq NIS was formerly known as Sun Yellow Pages .Pq YP . The functionality of the two remains the same; only the name has changed. diff --git a/usr.bin/newkey/newkey.c b/usr.bin/newkey/newkey.c index 6efe64993ec5..6998ddf34658 100644 --- a/usr.bin/newkey/newkey.c +++ b/usr.bin/newkey/newkey.c @@ -1,233 +1,234 @@ /* * Sun RPC is a product of Sun Microsystems, Inc. and is provided for * unrestricted use provided that this legend is included on all tape * media and as a part of the software program in whole or part. Users * may copy or modify Sun RPC without charge, but are not authorized * to license or distribute it to anyone else except as part of a product or * program developed by the user or with the express written consent of * Sun Microsystems, Inc. * * SUN RPC IS PROVIDED AS IS WITH NO WARRANTIES OF ANY KIND INCLUDING THE * WARRANTIES OF DESIGN, MERCHANTIBILITY AND FITNESS FOR A PARTICULAR * PURPOSE, OR ARISING FROM A COURSE OF DEALING, USAGE OR TRADE PRACTICE. * * Sun RPC is provided with no support and without any obligation on the * part of Sun Microsystems, Inc. to assist in its use, correction, * modification or enhancement. * * SUN MICROSYSTEMS, INC. SHALL HAVE NO LIABILITY WITH RESPECT TO THE * INFRINGEMENT OF COPYRIGHTS, TRADE SECRETS OR ANY PATENTS BY SUN RPC * OR ANY PART THEREOF. * * In no event will Sun Microsystems, Inc. be liable for any lost revenue * or profits or other special, indirect and consequential damages, even if * Sun has been advised of the possibility of such damages. * * Sun Microsystems, Inc. * 2550 Garcia Avenue * Mountain View, California 94043 */ #if !defined(lint) && defined(SCCSIDS) #if 0 static char sccsid[] = "@(#)newkey.c 1.8 91/03/11 Copyr 1986 Sun Micro"; #endif #endif /* * Copyright (C) 1986, Sun Microsystems, Inc. */ /* * Administrative tool to add a new user to the publickey database */ #include #include #include #include #include #include #ifdef YP #include #include #include #include #endif /* YP */ #include #include #include #include #include #include #include "extern.h" #ifdef YP #define MAXMAPNAMELEN 256 #else #define YPOP_CHANGE 1 /* change, do not add */ #define YPOP_INSERT 2 /* add, do not change */ #define YPOP_DELETE 3 /* delete this entry */ #define YPOP_STORE 4 /* add, or change */ #define ERR_ACCESS 1 #define ERR_MALLOC 2 #define ERR_READ 3 #define ERR_WRITE 4 #define ERR_DBASE 5 #define ERR_KEY 6 #endif #ifdef YP static char YPDBPATH[]="/var/yp"; static char PKMAP[] = "publickey.byname"; #else static char PKFILE[] = "/etc/publickey"; static const char *err_string(int); #endif /* YP */ static void usage(void) __dead2; int main(int argc, char *argv[]) { char name[MAXNETNAMELEN + 1]; char public[HEXKEYBYTES + 1]; char secret[HEXKEYBYTES + 1]; char crypt1[HEXKEYBYTES + KEYCHECKSUMSIZE + 1]; char crypt2[HEXKEYBYTES + KEYCHECKSUMSIZE + 1]; int status; char *pass; struct passwd *pw; #ifdef undef struct hostent *h; #endif + fprintf(stderr, "newkey is deprecated and removed from FreeBSD 15.\n"); if (argc != 3 || !(strcmp(argv[1], "-u") == 0 || strcmp(argv[1], "-h") == 0)) { usage(); } if (geteuid() != 0) errx(1, "must be superuser"); #ifdef YP if (chdir(YPDBPATH) < 0) warn("cannot chdir to %s", YPDBPATH); #endif /* YP */ if (strcmp(argv[1], "-u") == 0) { pw = getpwnam(argv[2]); if (pw == NULL) errx(1, "unknown user: %s", argv[2]); (void)user2netname(name, (int)pw->pw_uid, (char *)NULL); } else { #ifdef undef h = gethostbyname(argv[2]); if (h == NULL) errx(1, "unknown host: %s", argv[1]); (void)host2netname(name, h->h_name, (char *)NULL); #else (void)host2netname(name, argv[2], (char *)NULL); #endif } (void)printf("Adding new key for %s.\n", name); pass = getpass("New password:"); genkeys(public, secret, pass); memcpy(crypt1, secret, HEXKEYBYTES); memcpy(crypt1 + HEXKEYBYTES, secret, KEYCHECKSUMSIZE); crypt1[HEXKEYBYTES + KEYCHECKSUMSIZE] = 0; xencrypt(crypt1, pass); memcpy(crypt2, crypt1, HEXKEYBYTES + KEYCHECKSUMSIZE + 1); xdecrypt(crypt2, getpass("Retype password:")); if (memcmp(crypt2, crypt2 + HEXKEYBYTES, KEYCHECKSUMSIZE) != 0 || memcmp(crypt2, secret, HEXKEYBYTES) != 0) errx(1, "password incorrect"); #ifdef YP (void)printf("Please wait for the database to get updated...\n"); #endif if ((status = setpublicmap(name, public, crypt1))) { #ifdef YP errx(1, "unable to update NIS database (%u): %s", status, yperr_string(status)); #else errx(1, "unable to update publickey database (%u): %s", status, err_string(status)); #endif } (void)printf("Your new key has been successfully stored away.\n"); exit(0); /* NOTREACHED */ } static void usage(void) { (void)fprintf(stderr, "%s\n%s\n", "usage: newkey -h hostname", " newkey -u username"); exit(1); } /* * Set the entry in the public key file */ int setpublicmap(char *name, char *public, char *secret) { char pkent[1024]; (void)sprintf(pkent, "%s:%s", public, secret); #ifdef YP return (mapupdate(name, PKMAP, YPOP_STORE, strlen(name), name, strlen(pkent), pkent)); #else return (localupdate(name, PKFILE, YPOP_STORE, strlen(name), name, strlen(pkent), pkent)); #endif } #ifndef YP /* * This returns a pointer to an error message string appropriate * to an input error code. An input value of zero will return * a success message. */ static const char * err_string(int code) { const char *pmesg; switch (code) { case 0: pmesg = "update operation succeeded"; break; case ERR_KEY: pmesg = "no such key in file"; break; case ERR_READ: pmesg = "cannot read the database"; break; case ERR_WRITE: pmesg = "cannot write to the database"; break; case ERR_DBASE: pmesg = "cannot update database"; break; case ERR_ACCESS: pmesg = "permission denied"; break; case ERR_MALLOC: pmesg = "malloc failed"; break; default: pmesg = "unknown error"; break; } return (pmesg); } #endif diff --git a/usr.sbin/keyserv/keyserv.8 b/usr.sbin/keyserv/keyserv.8 index 17007c7d8f40..578f548cbe73 100644 --- a/usr.sbin/keyserv/keyserv.8 +++ b/usr.sbin/keyserv/keyserv.8 @@ -1,83 +1,88 @@ .\" @(#)keyserv.1m 1.21 93/07/14 SMI; from SVr4 .\"macro stdmacro .\" Copyright 1989 AT&T .\" @(#)keyserv.8c 1.8 89/03/29 SMI; .\".TH KEYSERV 8C "9 September 1987" .Dd September 14, 1992 .Dt KEYSERV 8 .Os .Sh NAME .Nm keyserv .Nd server for storing private encryption keys .Sh SYNOPSIS .Nm .Op Fl d .Op Fl D .Op Fl n .Op Fl p Ar path .Op Fl v .Sh DEPRECATION NOTICE .Nm is deprecated and is not available as of .Fx 15.0. .Sh DESCRIPTION The .Nm utility is a daemon that is used for storing the private encryption keys of each user logged into the system. These encryption keys are used for accessing secure network services such as secure .Tn NFS . .Pp Normally, root's key is read from the file .Pa /etc/.rootkey when the daemon is started. This is useful during power-fail reboots when no one is around to type a password. .Pp If a client with no secret key calls .Nm , then the key of user .Em nobody is used instead as the default key. .Pp The following options are available: .Bl -tag -width indent .It Fl d Disable the use of default keys for .Em nobody . .It Fl D Run in debugging mode and log all requests to .Nm . .It Fl n Root's secret key is not read from .Pa /etc/.rootkey . Instead, .Nm prompts the user for the password to decrypt root's key stored in the .Pa /etc/publickey database and then stores the decrypted key in .Pa /etc/.rootkey for future use. This option is useful if the .Pa /etc/.rootkey file ever gets out of date or corrupted. .It Fl p Ar path Specify where to search for .Pa libdes.so.3 . Default is .Pa /usr/lib . .It Fl v Display status of DES support (enabled/disabled). .El .Sh FILES .Bl -tag -width /usr/lib/libdes.so.3 -compact .It Pa /etc/.rootkey .It Pa /usr/lib/libdes.so.3 .El .Sh "SEE ALSO" .Xr keylogin 1 , .Xr keylogout 1 , .Xr publickey 5 +.Sh HISTORY +The +.Nm +utility was removed from +.Fx 15.0 . diff --git a/usr.sbin/keyserv/keyserv.c b/usr.sbin/keyserv/keyserv.c index bc219e886020..4fe719029d01 100644 --- a/usr.sbin/keyserv/keyserv.c +++ b/usr.sbin/keyserv/keyserv.c @@ -1,759 +1,760 @@ /* * Sun RPC is a product of Sun Microsystems, Inc. and is provided for * unrestricted use provided that this legend is included on all tape * media and as a part of the software program in whole or part. Users * may copy or modify Sun RPC without charge, but are not authorized * to license or distribute it to anyone else except as part of a product or * program developed by the user. * * SUN RPC IS PROVIDED AS IS WITH NO WARRANTIES OF ANY KIND INCLUDING THE * WARRANTIES OF DESIGN, MERCHANTIBILITY AND FITNESS FOR A PARTICULAR * PURPOSE, OR ARISING FROM A COURSE OF DEALING, USAGE OR TRADE PRACTICE. * * Sun RPC is provided with no support and without any obligation on the * part of Sun Microsystems, Inc. to assist in its use, correction, * modification or enhancement. * * SUN MICROSYSTEMS, INC. SHALL HAVE NO LIABILITY WITH RESPECT TO THE * INFRINGEMENT OF COPYRIGHTS, TRADE SECRETS OR ANY PATENTS BY SUN RPC * OR ANY PART THEREOF. * * In no event will Sun Microsystems, Inc. be liable for any lost revenue * or profits or other special, indirect and consequential damages, even if * Sun has been advised of the possibility of such damages. * * Sun Microsystems, Inc. * 2550 Garcia Avenue * Mountain View, California 94043 */ #ifndef lint #if 0 static char sccsid[] = "@(#)keyserv.c 1.15 94/04/25 SMI"; #endif #endif /* not lint */ /* * Copyright (c) 1986 - 1991 by Sun Microsystems, Inc. */ /* * Keyserver * Store secret keys per uid. Do public key encryption and decryption * operations. Generate "random" keys. * Do not talk to anything but a local root * process on the local transport only */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include "keyserv.h" #ifndef NGROUPS #define NGROUPS 16 #endif #ifndef KEYSERVSOCK #define KEYSERVSOCK "/var/run/keyservsock" #endif static void randomize( des_block * ); static void usage( void ); static int getrootkey( des_block *, int ); static int root_auth( SVCXPRT *, struct svc_req * ); #ifdef DEBUG static int debugging = 1; #else static int debugging = 0; #endif static void keyprogram(struct svc_req *rqstp, SVCXPRT *transp); static des_block masterkey; static char ROOTKEY[] = "/etc/.rootkey"; /* * Hack to allow the keyserver to use AUTH_DES (for authenticated * NIS+ calls, for example). The only functions that get called * are key_encryptsession_pk, key_decryptsession_pk, and key_gendes. * * The approach is to have the keyserver fill in pointers to local * implementations of these functions, and to call those in key_call(). */ extern cryptkeyres *(*__key_encryptsession_pk_LOCAL)(); extern cryptkeyres *(*__key_decryptsession_pk_LOCAL)(); extern des_block *(*__key_gendes_LOCAL)(); extern int (*__des_crypt_LOCAL)(); cryptkeyres *key_encrypt_pk_2_svc_prog( uid_t, cryptkeyarg2 * ); cryptkeyres *key_decrypt_pk_2_svc_prog( uid_t, cryptkeyarg2 * ); des_block *key_gen_1_svc_prog( void *, struct svc_req * ); int main(int argc, char *argv[]) { int nflag = 0; int c; int warn = 0; char *path = NULL; void *localhandle; register SVCXPRT *transp; struct netconfig *nconf = NULL; + fprintf(stderr, "keyserv is deprecated and removed from FreeBSD 15.\n"); __key_encryptsession_pk_LOCAL = &key_encrypt_pk_2_svc_prog; __key_decryptsession_pk_LOCAL = &key_decrypt_pk_2_svc_prog; __key_gendes_LOCAL = &key_gen_1_svc_prog; while ((c = getopt(argc, argv, "ndDvp:")) != -1) switch (c) { case 'n': nflag++; break; case 'd': pk_nodefaultkeys(); break; case 'D': debugging = 1; break; case 'v': warn = 1; break; case 'p': path = optarg; break; default: usage(); } load_des(warn, path); __des_crypt_LOCAL = _my_crypt; if (svc_auth_reg(AUTH_DES, _svcauth_des) == -1) errx(1, "failed to register AUTH_DES authenticator"); if (optind != argc) { usage(); } /* * Initialize */ (void) umask(S_IXUSR|S_IXGRP|S_IXOTH); if (geteuid() != 0) errx(1, "keyserv must be run as root"); setmodulus(HEXMODULUS); getrootkey(&masterkey, nflag); rpcb_unset(KEY_PROG, KEY_VERS, NULL); rpcb_unset(KEY_PROG, KEY_VERS2, NULL); if (svc_create(keyprogram, KEY_PROG, KEY_VERS, "netpath") == 0) { (void) fprintf(stderr, "%s: unable to create service\n", argv[0]); exit(1); } if (svc_create(keyprogram, KEY_PROG, KEY_VERS2, "netpath") == 0) { (void) fprintf(stderr, "%s: unable to create service\n", argv[0]); exit(1); } localhandle = setnetconfig(); while ((nconf = getnetconfig(localhandle)) != NULL) { if (nconf->nc_protofmly != NULL && strcmp(nconf->nc_protofmly, NC_LOOPBACK) == 0) break; } if (nconf == NULL) errx(1, "getnetconfig: %s", nc_sperror()); unlink(KEYSERVSOCK); rpcb_unset(CRYPT_PROG, CRYPT_VERS, nconf); transp = svcunix_create(RPC_ANYSOCK, 0, 0, KEYSERVSOCK); if (transp == NULL) errx(1, "cannot create AF_LOCAL service"); if (!svc_reg(transp, KEY_PROG, KEY_VERS, keyprogram, nconf)) errx(1, "unable to register (KEY_PROG, KEY_VERS, unix)"); if (!svc_reg(transp, KEY_PROG, KEY_VERS2, keyprogram, nconf)) errx(1, "unable to register (KEY_PROG, KEY_VERS2, unix)"); if (!svc_reg(transp, CRYPT_PROG, CRYPT_VERS, crypt_prog_1, nconf)) errx(1, "unable to register (CRYPT_PROG, CRYPT_VERS, unix)"); endnetconfig(localhandle); (void) umask(066); /* paranoia */ if (!debugging) { daemon(0,0); } signal(SIGPIPE, SIG_IGN); svc_run(); abort(); /* NOTREACHED */ } /* * In the event that we don't get a root password, we try to * randomize the master key the best we can */ static void randomize(des_block *master) { master->key.low = arc4random(); master->key.high = arc4random(); } /* * Try to get root's secret key, by prompting if terminal is a tty, else trying * from standard input. * Returns 1 on success. */ static int getrootkey(des_block *master, int prompt) { char *passwd; char name[MAXNETNAMELEN + 1]; char secret[HEXKEYBYTES]; key_netstarg netstore; int fd; if (!prompt) { /* * Read secret key out of ROOTKEY */ fd = open(ROOTKEY, O_RDONLY, 0); if (fd < 0) { randomize(master); return (0); } if (read(fd, secret, HEXKEYBYTES) < HEXKEYBYTES) { warnx("the key read from %s was too short", ROOTKEY); (void) close(fd); return (0); } (void) close(fd); if (!getnetname(name)) { warnx( "failed to generate host's netname when establishing root's key"); return (0); } memcpy(netstore.st_priv_key, secret, HEXKEYBYTES); memset(netstore.st_pub_key, 0, HEXKEYBYTES); netstore.st_netname = name; if (pk_netput(0, &netstore) != KEY_SUCCESS) { warnx("could not set root's key and netname"); return (0); } return (1); } /* * Decrypt yellow pages publickey entry to get secret key */ passwd = getpass("root password:"); passwd2des(passwd, (char *)master); getnetname(name); if (!getsecretkey(name, secret, passwd)) { warnx("can't find %s's secret key", name); return (0); } if (secret[0] == 0) { warnx("password does not decrypt secret key for %s", name); return (0); } (void) pk_setkey(0, secret); /* * Store it for future use in $ROOTKEY, if possible */ fd = open(ROOTKEY, O_WRONLY|O_TRUNC|O_CREAT, 0); if (fd > 0) { char newline = '\n'; write(fd, secret, strlen(secret)); write(fd, &newline, sizeof (newline)); close(fd); } return (1); } /* * Procedures to implement RPC service */ char * strstatus(keystatus status) { switch (status) { case KEY_SUCCESS: return ("KEY_SUCCESS"); case KEY_NOSECRET: return ("KEY_NOSECRET"); case KEY_UNKNOWN: return ("KEY_UNKNOWN"); case KEY_SYSTEMERR: return ("KEY_SYSTEMERR"); default: return ("(bad result code)"); } } keystatus * key_set_1_svc_prog(uid_t uid, keybuf key) { static keystatus status; if (debugging) { (void) fprintf(stderr, "set(%u, %.*s) = ", uid, (int) sizeof (keybuf), key); } status = pk_setkey(uid, key); if (debugging) { (void) fprintf(stderr, "%s\n", strstatus(status)); (void) fflush(stderr); } return (&status); } cryptkeyres * key_encrypt_pk_2_svc_prog(uid_t uid, cryptkeyarg2 *arg) { static cryptkeyres res; if (debugging) { (void) fprintf(stderr, "encrypt(%u, %s, %08x%08x) = ", uid, arg->remotename, arg->deskey.key.high, arg->deskey.key.low); } res.cryptkeyres_u.deskey = arg->deskey; res.status = pk_encrypt(uid, arg->remotename, &(arg->remotekey), &res.cryptkeyres_u.deskey); if (debugging) { if (res.status == KEY_SUCCESS) { (void) fprintf(stderr, "%08x%08x\n", res.cryptkeyres_u.deskey.key.high, res.cryptkeyres_u.deskey.key.low); } else { (void) fprintf(stderr, "%s\n", strstatus(res.status)); } (void) fflush(stderr); } return (&res); } cryptkeyres * key_decrypt_pk_2_svc_prog(uid_t uid, cryptkeyarg2 *arg) { static cryptkeyres res; if (debugging) { (void) fprintf(stderr, "decrypt(%u, %s, %08x%08x) = ", uid, arg->remotename, arg->deskey.key.high, arg->deskey.key.low); } res.cryptkeyres_u.deskey = arg->deskey; res.status = pk_decrypt(uid, arg->remotename, &(arg->remotekey), &res.cryptkeyres_u.deskey); if (debugging) { if (res.status == KEY_SUCCESS) { (void) fprintf(stderr, "%08x%08x\n", res.cryptkeyres_u.deskey.key.high, res.cryptkeyres_u.deskey.key.low); } else { (void) fprintf(stderr, "%s\n", strstatus(res.status)); } (void) fflush(stderr); } return (&res); } keystatus * key_net_put_2_svc_prog(uid_t uid, key_netstarg *arg) { static keystatus status; if (debugging) { (void) fprintf(stderr, "net_put(%s, %.*s, %.*s) = ", arg->st_netname, (int)sizeof (arg->st_pub_key), arg->st_pub_key, (int)sizeof (arg->st_priv_key), arg->st_priv_key); } status = pk_netput(uid, arg); if (debugging) { (void) fprintf(stderr, "%s\n", strstatus(status)); (void) fflush(stderr); } return (&status); } key_netstres * key_net_get_2_svc_prog(uid_t uid, void *arg) { static key_netstres keynetname; if (debugging) (void) fprintf(stderr, "net_get(%u) = ", uid); keynetname.status = pk_netget(uid, &keynetname.key_netstres_u.knet); if (debugging) { if (keynetname.status == KEY_SUCCESS) { fprintf(stderr, "<%s, %.*s, %.*s>\n", keynetname.key_netstres_u.knet.st_netname, (int)sizeof (keynetname.key_netstres_u.knet.st_pub_key), keynetname.key_netstres_u.knet.st_pub_key, (int)sizeof (keynetname.key_netstres_u.knet.st_priv_key), keynetname.key_netstres_u.knet.st_priv_key); } else { (void) fprintf(stderr, "NOT FOUND\n"); } (void) fflush(stderr); } return (&keynetname); } cryptkeyres * key_get_conv_2_svc_prog(uid_t uid, keybuf arg) { static cryptkeyres res; if (debugging) (void) fprintf(stderr, "get_conv(%u, %.*s) = ", uid, (int)sizeof (keybuf), arg); res.status = pk_get_conv_key(uid, arg, &res); if (debugging) { if (res.status == KEY_SUCCESS) { (void) fprintf(stderr, "%08x%08x\n", res.cryptkeyres_u.deskey.key.high, res.cryptkeyres_u.deskey.key.low); } else { (void) fprintf(stderr, "%s\n", strstatus(res.status)); } (void) fflush(stderr); } return (&res); } cryptkeyres * key_encrypt_1_svc_prog(uid_t uid, cryptkeyarg *arg) { static cryptkeyres res; if (debugging) { (void) fprintf(stderr, "encrypt(%u, %s, %08x%08x) = ", uid, arg->remotename, arg->deskey.key.high, arg->deskey.key.low); } res.cryptkeyres_u.deskey = arg->deskey; res.status = pk_encrypt(uid, arg->remotename, NULL, &res.cryptkeyres_u.deskey); if (debugging) { if (res.status == KEY_SUCCESS) { (void) fprintf(stderr, "%08x%08x\n", res.cryptkeyres_u.deskey.key.high, res.cryptkeyres_u.deskey.key.low); } else { (void) fprintf(stderr, "%s\n", strstatus(res.status)); } (void) fflush(stderr); } return (&res); } cryptkeyres * key_decrypt_1_svc_prog(uid_t uid, cryptkeyarg *arg) { static cryptkeyres res; if (debugging) { (void) fprintf(stderr, "decrypt(%u, %s, %08x%08x) = ", uid, arg->remotename, arg->deskey.key.high, arg->deskey.key.low); } res.cryptkeyres_u.deskey = arg->deskey; res.status = pk_decrypt(uid, arg->remotename, NULL, &res.cryptkeyres_u.deskey); if (debugging) { if (res.status == KEY_SUCCESS) { (void) fprintf(stderr, "%08x%08x\n", res.cryptkeyres_u.deskey.key.high, res.cryptkeyres_u.deskey.key.low); } else { (void) fprintf(stderr, "%s\n", strstatus(res.status)); } (void) fflush(stderr); } return (&res); } /* ARGSUSED */ des_block * key_gen_1_svc_prog(void *v, struct svc_req *s) { struct timeval time; static des_block keygen; static des_block key; (void)gettimeofday(&time, NULL); keygen.key.high += (time.tv_sec ^ time.tv_usec); keygen.key.low += (time.tv_sec ^ time.tv_usec); ecb_crypt((char *)&masterkey, (char *)&keygen, sizeof (keygen), DES_ENCRYPT | DES_HW); key = keygen; des_setparity((char *)&key); if (debugging) { (void) fprintf(stderr, "gen() = %08x%08x\n", key.key.high, key.key.low); (void) fflush(stderr); } return (&key); } getcredres * key_getcred_1_svc_prog(uid_t uid, netnamestr *name) { static getcredres res; static u_int gids[NGROUPS]; struct unixcred *cred; cred = &res.getcredres_u.cred; cred->gids.gids_val = gids; if (!netname2user(*name, (uid_t *) &cred->uid, (gid_t *) &cred->gid, (int *)&cred->gids.gids_len, (gid_t *)gids)) { res.status = KEY_UNKNOWN; } else { res.status = KEY_SUCCESS; } if (debugging) { (void) fprintf(stderr, "getcred(%s) = ", *name); if (res.status == KEY_SUCCESS) { (void) fprintf(stderr, "uid=%d, gid=%d, grouplen=%d\n", cred->uid, cred->gid, cred->gids.gids_len); } else { (void) fprintf(stderr, "%s\n", strstatus(res.status)); } (void) fflush(stderr); } return (&res); } /* * RPC boilerplate */ static void keyprogram(struct svc_req *rqstp, SVCXPRT *transp) { union { keybuf key_set_1_arg; cryptkeyarg key_encrypt_1_arg; cryptkeyarg key_decrypt_1_arg; netnamestr key_getcred_1_arg; cryptkeyarg key_encrypt_2_arg; cryptkeyarg key_decrypt_2_arg; netnamestr key_getcred_2_arg; cryptkeyarg2 key_encrypt_pk_2_arg; cryptkeyarg2 key_decrypt_pk_2_arg; key_netstarg key_net_put_2_arg; netobj key_get_conv_2_arg; } argument; char *result; xdrproc_t xdr_argument, xdr_result; typedef void *(svc_cb)(uid_t uid, void *arg); svc_cb *local; uid_t uid = -1; int check_auth; switch (rqstp->rq_proc) { case NULLPROC: svc_sendreply(transp, (xdrproc_t)xdr_void, NULL); return; case KEY_SET: xdr_argument = (xdrproc_t)xdr_keybuf; xdr_result = (xdrproc_t)xdr_int; local = (svc_cb *)key_set_1_svc_prog; check_auth = 1; break; case KEY_ENCRYPT: xdr_argument = (xdrproc_t)xdr_cryptkeyarg; xdr_result = (xdrproc_t)xdr_cryptkeyres; local = (svc_cb *)key_encrypt_1_svc_prog; check_auth = 1; break; case KEY_DECRYPT: xdr_argument = (xdrproc_t)xdr_cryptkeyarg; xdr_result = (xdrproc_t)xdr_cryptkeyres; local = (svc_cb *)key_decrypt_1_svc_prog; check_auth = 1; break; case KEY_GEN: xdr_argument = (xdrproc_t)xdr_void; xdr_result = (xdrproc_t)xdr_des_block; local = (svc_cb *)key_gen_1_svc_prog; check_auth = 0; break; case KEY_GETCRED: xdr_argument = (xdrproc_t)xdr_netnamestr; xdr_result = (xdrproc_t)xdr_getcredres; local = (svc_cb *)key_getcred_1_svc_prog; check_auth = 0; break; case KEY_ENCRYPT_PK: xdr_argument = (xdrproc_t)xdr_cryptkeyarg2; xdr_result = (xdrproc_t)xdr_cryptkeyres; local = (svc_cb *)key_encrypt_pk_2_svc_prog; check_auth = 1; break; case KEY_DECRYPT_PK: xdr_argument = (xdrproc_t)xdr_cryptkeyarg2; xdr_result = (xdrproc_t)xdr_cryptkeyres; local = (svc_cb *)key_decrypt_pk_2_svc_prog; check_auth = 1; break; case KEY_NET_PUT: xdr_argument = (xdrproc_t)xdr_key_netstarg; xdr_result = (xdrproc_t)xdr_keystatus; local = (svc_cb *)key_net_put_2_svc_prog; check_auth = 1; break; case KEY_NET_GET: xdr_argument = (xdrproc_t) xdr_void; xdr_result = (xdrproc_t)xdr_key_netstres; local = (svc_cb *)key_net_get_2_svc_prog; check_auth = 1; break; case KEY_GET_CONV: xdr_argument = (xdrproc_t) xdr_keybuf; xdr_result = (xdrproc_t)xdr_cryptkeyres; local = (svc_cb *)key_get_conv_2_svc_prog; check_auth = 1; break; default: svcerr_noproc(transp); return; } if (check_auth) { if (root_auth(transp, rqstp) == 0) { if (debugging) { (void) fprintf(stderr, "not local privileged process\n"); } svcerr_weakauth(transp); return; } if (rqstp->rq_cred.oa_flavor != AUTH_SYS) { if (debugging) { (void) fprintf(stderr, "not unix authentication\n"); } svcerr_weakauth(transp); return; } uid = ((struct authsys_parms *)rqstp->rq_clntcred)->aup_uid; } memset(&argument, 0, sizeof (argument)); if (!svc_getargs(transp, xdr_argument, &argument)) { svcerr_decode(transp); return; } result = (*local) (uid, &argument); if (!svc_sendreply(transp, xdr_result, result)) { if (debugging) (void) fprintf(stderr, "unable to reply\n"); svcerr_systemerr(transp); } if (!svc_freeargs(transp, xdr_argument, &argument)) { if (debugging) (void) fprintf(stderr, "unable to free arguments\n"); exit(1); } return; } static int root_auth(SVCXPRT *trans, struct svc_req *rqstp) { uid_t uid; struct sockaddr *remote; remote = svc_getrpccaller(trans)->buf; if (remote->sa_family != AF_UNIX) { if (debugging) fprintf(stderr, "client didn't use AF_UNIX\n"); return (0); } if (__rpc_get_local_uid(trans, &uid) < 0) { if (debugging) fprintf(stderr, "__rpc_get_local_uid failed\n"); return (0); } if (debugging) fprintf(stderr, "local_uid %u\n", uid); if (uid == 0) return (1); if (rqstp->rq_cred.oa_flavor == AUTH_SYS) { if (((uid_t) ((struct authunix_parms *) rqstp->rq_clntcred)->aup_uid) == uid) { return (1); } else { if (debugging) fprintf(stderr, "local_uid %u mismatches auth %u\n", uid, ((uid_t) ((struct authunix_parms *)rqstp->rq_clntcred)->aup_uid)); return (0); } } else { if (debugging) fprintf(stderr, "Not auth sys\n"); return (0); } } static void usage(void) { (void) fprintf(stderr, "usage: keyserv [-n] [-D] [-d] [-v] [-p path]\n"); (void) fprintf(stderr, "-d disables the use of default keys\n"); exit(1); }