--- loncom/lond 2004/07/28 21:33:22 1.217 +++ loncom/lond 2004/08/02 20:59:46 1.221 @@ -2,7 +2,7 @@ # The LearningOnline Network # lond "LON Daemon" Server (port "LOND" 5663) # -# $Id: lond,v 1.217 2004/07/28 21:33:22 foxr Exp $ +# $Id: lond,v 1.221 2004/08/02 20:59:46 albertel Exp $ # # Copyright Michigan State University Board of Trustees # @@ -50,13 +50,14 @@ use File::Copy; use LONCAPA::ConfigFileEdit; use LONCAPA::lonlocal; use LONCAPA::lonssl; +use Fcntl qw(:flock); my $DEBUG = 0; # Non zero to enable debug log entries. my $status=''; my $lastlog=''; -my $VERSION='$Revision: 1.217 $'; #' stupid emacs +my $VERSION='$Revision: 1.221 $'; #' stupid emacs my $remoteVERSION; my $currenthostid="default"; my $currentdomainid; @@ -1204,6 +1205,218 @@ sub user_load_handler { } register_handler("userload", \&user_load_handler, 0, 1, 0); +# Process a request for the authorization type of a user: +# (userauth). +# +# Parameters: +# $cmd - the actual keyword that invoked us. +# $tail - the tail of the request that invoked us. +# $replyfd- File descriptor connected to the client +# Returns: +# 1 - Ok to continue processing. +# 0 - Program should exit +# Implicit outputs: +# The user authorization type is written to the client. +# +sub user_authorization_type { + my ($cmd, $tail, $replyfd) = @_; + + my $userinput = "$cmd:$tail"; + + # Pull the domain and username out of the command tail. + # and call GetAuthType to determine the authentication type. + + my ($udom,$uname)=split(/:/,$tail); + my $result = &GetAuthType($udom, $uname); + if($result eq "nouser") { + &Failure( $replyfd, "unknown_user\n", $userinput); + } else { + # + # We only want to pass the second field from GetAuthType + # for ^krb.. otherwise we'll be handing out the encrypted + # password for internals e.g. + # + my ($type,$otherinfo) = split(/:/,$result); + if($type =~ /^krb/) { + $type = $result; + } + &Reply( $replyfd, "$type\n", $userinput); + } + + return 1; +} +®ister_handler("currentauth", \&user_authorization_type, 1, 1, 0); + +# Process a request by a manager to push a hosts or domain table +# to us. We pick apart the command and pass it on to the subs +# that already exist to do this. +# +# Parameters: +# $cmd - the actual keyword that invoked us. +# $tail - the tail of the request that invoked us. +# $client - File descriptor connected to the client +# Returns: +# 1 - Ok to continue processing. +# 0 - Program should exit +# Implicit Output: +# a reply is written to the client. + +sub push_file_handler { + my ($cmd, $tail, $client) = @_; + + my $userinput = "$cmd:$tail"; + + # At this time we only know that the IP of our partner is a valid manager + # the code below is a hook to do further authentication (e.g. to resolve + # spoofing). + + my $cert = &GetCertificate($userinput); + if(&ValidManager($cert)) { + + # Now presumably we have the bona fides of both the peer host and the + # process making the request. + + my $reply = &PushFile($userinput); + &Reply($client, "$reply\n", $userinput); + + } else { + &Failure( $client, "refused\n", $userinput); + } + return 1; +} +®ister_handler("pushfile", \&push_file_handler, 1, 0, 1); + + + +# Process a reinit request. Reinit requests that either +# lonc or lond be reinitialized so that an updated +# host.tab or domain.tab can be processed. +# +# Parameters: +# $cmd - the actual keyword that invoked us. +# $tail - the tail of the request that invoked us. +# $client - File descriptor connected to the client +# Returns: +# 1 - Ok to continue processing. +# 0 - Program should exit +# Implicit output: +# a reply is sent to the client. +# +sub reinit_process_handler { + my ($cmd, $tail, $client) = @_; + + my $userinput = "$cmd:$tail"; + + my $cert = &GetCertificate($userinput); + if(&ValidManager($cert)) { + chomp($userinput); + my $reply = &ReinitProcess($userinput); + &Reply( $client, "$reply\n", $userinput); + } else { + &Failure( $client, "refused\n", $userinput); + } + return 1; +} + +®ister_handler("reinit", \&reinit_process_handler, 1, 0, 1); + +# Process the editing script for a table edit operation. +# the editing operation must be encrypted and requested by +# a manager host. +# +# Parameters: +# $cmd - the actual keyword that invoked us. +# $tail - the tail of the request that invoked us. +# $client - File descriptor connected to the client +# Returns: +# 1 - Ok to continue processing. +# 0 - Program should exit +# Implicit output: +# a reply is sent to the client. +# +sub edit_table_handler { + my ($command, $tail, $client) = @_; + + my $userinput = "$command:$tail"; + + my $cert = &GetCertificate($userinput); + if(&ValidManager($cert)) { + my($filetype, $script) = split(/:/, $tail); + if (($filetype eq "hosts") || + ($filetype eq "domain")) { + if($script ne "") { + &Reply($client, # BUGBUG - EditFile + &EditFile($userinput), # could fail. + $userinput); + } else { + &Failure($client,"refused\n",$userinput); + } + } else { + &Failure($client,"refused\n",$userinput); + } + } else { + &Failure($client,"refused\n",$userinput); + } + return 1; +} +register_handler("edit", \&edit_table_handler, 1, 0, 1); + + +# +# Authenticate a user against the LonCAPA authentication +# database. Note that there are several authentication +# possibilities: +# - unix - The user can be authenticated against the unix +# password file. +# - internal - The user can be authenticated against a purely +# internal per user password file. +# - kerberos - The user can be authenticated against either a kerb4 or kerb5 +# ticket granting authority. +# - user - The person tailoring LonCAPA can supply a user authentication +# mechanism that is per system. +# +# Parameters: +# $cmd - The command that got us here. +# $tail - Tail of the command (remaining parameters). +# $client - File descriptor connected to client. +# Returns +# 0 - Requested to exit, caller should shut down. +# 1 - Continue processing. +# Implicit inputs: +# The authentication systems describe above have their own forms of implicit +# input into the authentication process that are described above. +# +sub authenticate_handler { + my ($cmd, $tail, $client) = @_; + + + # Regenerate the full input line + + my $userinput = $cmd.":".$tail; + + # udom - User's domain. + # uname - Username. + # upass - User's password. + + my ($udom,$uname,$upass)=split(/:/,$tail); + &Debug(" Authenticate domain = $udom, user = $uname, password = $upass"); + chomp($upass); + $upass=&unescape($upass); + + my $pwdcorrect = &validate_user($udom, $uname, $upass); + if($pwdcorrect) { + &Reply( $client, "authorized\n", $userinput); + # + # Bad credentials: Failed to authorize + # + } else { + &Failure( $client, "non_authorized\n", $userinput); + } + + return 1; +} + +register_handler("auth", \&authenticate_handler, 1, 1, 0); #--------------------------------------------------------------- # @@ -1318,161 +1531,9 @@ sub process_request { #------------------- Commands not yet in spearate handlers. -------------- -# ----------------------------------------------------------------- currentauth - if ($userinput =~ /^currentauth/) { - if (($wasenc==1) && isClient) { # Encoded & client only. - my ($cmd,$udom,$uname)=split(/:/,$userinput); - my $result = GetAuthType($udom, $uname); - if($result eq "nouser") { - print $client "unknown_user\n"; - } - else { - print $client "$result\n"; - } - } else { - Reply($client, "refused\n", $userinput); - - } -#--------------------------------------------------------------------- pushfile - } elsif($userinput =~ /^pushfile/) { # encoded & manager. - if(($wasenc == 1) && isManager) { - my $cert = GetCertificate($userinput); - if(ValidManager($cert)) { - my $reply = PushFile($userinput); - print $client "$reply\n"; - } else { - print $client "refused\n"; - } - } else { - Reply($client, "refused\n", $userinput); - - } -#--------------------------------------------------------------------- reinit - } elsif($userinput =~ /^reinit/) { # Encoded and manager - if (($wasenc == 1) && isManager) { - my $cert = GetCertificate($userinput); - if(ValidManager($cert)) { - chomp($userinput); - my $reply = ReinitProcess($userinput); - print $client "$reply\n"; - } else { - print $client "refused\n"; - } - } else { - Reply($client, "refused\n", $userinput); - } -#------------------------------------------------------------------------- edit - } elsif ($userinput =~ /^edit/) { # encoded and manager: - if(($wasenc ==1) && (isManager)) { - my $cert = GetCertificate($userinput); - if(ValidManager($cert)) { - my($command, $filetype, $script) = split(/:/, $userinput); - if (($filetype eq "hosts") || ($filetype eq "domain")) { - if($script ne "") { - Reply($client, EditFile($userinput)); - } else { - Reply($client,"refused\n",$userinput); - } - } else { - Reply($client,"refused\n",$userinput); - } - } else { - Reply($client,"refused\n",$userinput); - } - } else { - Reply($client,"refused\n",$userinput); - } -# ------------------------------------------------------------------------ auth - } elsif ($userinput =~ /^auth/) { # Encoded and client only. - if (($wasenc==1) && isClient) { - my ($cmd,$udom,$uname,$upass)=split(/:/,$userinput); - chomp($upass); - $upass=unescape($upass); - my $proname=propath($udom,$uname); - my $passfilename="$proname/passwd"; - if (-e $passfilename) { - my $pf = IO::File->new($passfilename); - my $realpasswd=<$pf>; - chomp($realpasswd); - my ($howpwd,$contentpwd)=split(/:/,$realpasswd); - my $pwdcorrect=0; - if ($howpwd eq 'internal') { - &Debug("Internal auth"); - $pwdcorrect= - (crypt($upass,$contentpwd) eq $contentpwd); - } elsif ($howpwd eq 'unix') { - &Debug("Unix auth"); - if((getpwnam($uname))[1] eq "") { #no such user! - $pwdcorrect = 0; - } else { - $contentpwd=(getpwnam($uname))[1]; - my $pwauth_path="/usr/local/sbin/pwauth"; - unless ($contentpwd eq 'x') { - $pwdcorrect= - (crypt($upass,$contentpwd) eq - $contentpwd); - } - - elsif (-e $pwauth_path) { - open PWAUTH, "|$pwauth_path" or - die "Cannot invoke authentication"; - print PWAUTH "$uname\n$upass\n"; - close PWAUTH; - $pwdcorrect=!$?; - } - } - } elsif ($howpwd eq 'krb4') { - my $null=pack("C",0); - unless ($upass=~/$null/) { - my $krb4_error = &Authen::Krb4::get_pw_in_tkt - ($uname,"",$contentpwd,'krbtgt', - $contentpwd,1,$upass); - if (!$krb4_error) { - $pwdcorrect = 1; - } else { - $pwdcorrect=0; - # log error if it is not a bad password - if ($krb4_error != 62) { - &logthis('krb4:'.$uname.','. - &Authen::Krb4::get_err_txt($Authen::Krb4::error)); - } - } - } - } elsif ($howpwd eq 'krb5') { - my $null=pack("C",0); - unless ($upass=~/$null/) { - my $krbclient=&Authen::Krb5::parse_name($uname.'@'.$contentpwd); - my $krbservice="krbtgt/".$contentpwd."\@".$contentpwd; - my $krbserver=&Authen::Krb5::parse_name($krbservice); - my $credentials=&Authen::Krb5::cc_default(); - $credentials->initialize($krbclient); - my $krbreturn = - &Authen::Krb5::get_in_tkt_with_password( - $krbclient,$krbserver,$upass,$credentials); -# unless ($krbreturn) { -# &logthis("Krb5 Error: ". -# &Authen::Krb5::error()); -# } - $pwdcorrect = ($krbreturn == 1); - } else { $pwdcorrect=0; } - } elsif ($howpwd eq 'localauth') { - $pwdcorrect=&localauth::localauth($uname,$upass, - $contentpwd); - } - if ($pwdcorrect) { - print $client "authorized\n"; - } else { - print $client "non_authorized\n"; - } - } else { - print $client "unknown_user\n"; - } - } else { - Reply($client, "refused\n", $userinput); - - } + # ---------------------------------------------------------------------- passwd - } elsif ($userinput =~ /^passwd/) { # encoded and client + if ($userinput =~ /^passwd/) { # encoded and client if (($wasenc==1) && isClient) { my ($cmd,$udom,$uname,$upass,$npass)=split(/:/,$userinput); @@ -3191,10 +3252,11 @@ sub checkchildren { &logthis('Going to check on the children'); my $docdir=$perlvar{'lonDocRoot'}; foreach (sort keys %children) { - sleep 1; + #sleep 1; unless (kill 'USR1' => $_) { &logthis ('Child '.$_.' is dead'); &logstatus($$.' is dead'); + delete($children{$_}); } } sleep 5; @@ -3213,6 +3275,7 @@ sub checkchildren { #my $result=`echo 'Killed lond process $_.' | mailto $emailto -s '$subj' > /dev/null`; #$execdir=$perlvar{'lonDaemons'}; #$result=`/bin/cp $execdir/logs/lond.log $execdir/logs/lond.log.$_`; + delete($children{$_}); alarm(0); } } @@ -3220,6 +3283,7 @@ sub checkchildren { $SIG{ALRM} = 'DEFAULT'; $SIG{__DIE__} = \&catchexception; &status("Finished checking children"); + &logthis('Finished Checking children'); } # --------------------------------------------------------------------- Logging @@ -3290,17 +3354,19 @@ sub logstatus { &status("Doing logging"); my $docdir=$perlvar{'lonDocRoot'}; { - my $fh=IO::File->new(">>$docdir/lon-status/londstatus.txt"); - print $fh $$."\t".$clientname."\t".$currenthostid."\t" - .$status."\t".$lastlog."\t $keymode\n"; - $fh->close(); - } - &status("Finished londstatus.txt"); - { my $fh=IO::File->new(">$docdir/lon-status/londchld/$$.txt"); print $fh $status."\n".$lastlog."\n".time."\n$keymode"; $fh->close(); } + &status("Finished $$.txt"); + { + open(LOG,">>$docdir/lon-status/londstatus.txt"); + flock(LOG,LOCK_EX); + print LOG $$."\t".$clientname."\t".$currenthostid."\t" + .$status."\t".$lastlog."\t $keymode\n"; + flock(DB,LOCK_UN); + close(LOG); + } &status("Finished logging"); } @@ -3785,6 +3851,132 @@ sub GetAuthType } } +# +# Validate a user given their domain, name and password. This utility +# function is used by both AuthenticateHandler and ChangePasswordHandler +# to validate the login credentials of a user. +# Parameters: +# $domain - The domain being logged into (this is required due to +# the capability for multihomed systems. +# $user - The name of the user being validated. +# $password - The user's propoposed password. +# +# Returns: +# 1 - The domain,user,pasword triplet corresponds to a valid +# user. +# 0 - The domain,user,password triplet is not a valid user. +# +sub validate_user { + my ($domain, $user, $password) = @_; + + + # Why negative ~pi you may well ask? Well this function is about + # authentication, and therefore very important to get right. + # I've initialized the flag that determines whether or not I've + # validated correctly to a value it's not supposed to get. + # At the end of this function. I'll ensure that it's not still that + # value so we don't just wind up returning some accidental value + # as a result of executing an unforseen code path that + # did not set $validated. + + my $validated = -3.14159; + + # How we authenticate is determined by the type of authentication + # the user has been assigned. If the authentication type is + # "nouser", the user does not exist so we will return 0. + + my $contents = &GetAuthType($domain, $user); + my ($howpwd, $contentpwd) = split(/:/, $contents); + + my $null = pack("C",0); # Used by kerberos auth types. + + if ($howpwd ne 'nouser') { + + if($howpwd eq "internal") { # Encrypted is in local password file. + $validated = (crypt($password, $contentpwd) eq $contentpwd); + } + elsif ($howpwd eq "unix") { # User is a normal unix user. + $contentpwd = (getpwnam($user))[1]; + if($contentpwd) { + if($contentpwd eq 'x') { # Shadow password file... + my $pwauth_path = "/usr/local/sbin/pwauth"; + open PWAUTH, "|$pwauth_path" or + die "Cannot invoke authentication"; + print PWAUTH "$user\n$password\n"; + close PWAUTH; + $validated = ! $?; + + } else { # Passwords in /etc/passwd. + $validated = (crypt($password, + $contentpwd) eq $contentpwd); + } + } else { + $validated = 0; + } + } + elsif ($howpwd eq "krb4") { # user is in kerberos 4 auth. domain. + if(! ($password =~ /$null/) ) { + my $k4error = &Authen::Krb4::get_pw_in_tkt($user, + "", + $contentpwd,, + 'krbtgt', + $contentpwd, + 1, + $password); + if(!$k4error) { + $validated = 1; + } + else { + $validated = 0; + &logthis('krb4: '.$user.', '.$contentpwd.', '. + &Authen::Krb4::get_err_txt($Authen::Krb4::error)); + } + } + else { + $validated = 0; # Password has a match with null. + } + } + elsif ($howpwd eq "krb5") { # User is in kerberos 5 auth. domain. + if(!($password =~ /$null/)) { # Null password not allowed. + my $krbclient = &Authen::Krb5::parse_name($user.'@' + .$contentpwd); + my $krbservice = "krbtgt/".$contentpwd."\@".$contentpwd; + my $krbserver = &Authen::Krb5::parse_name($krbservice); + my $credentials= &Authen::Krb5::cc_default(); + $credentials->initialize($krbclient); + my $krbreturn = &Authen::KRb5::get_in_tkt_with_password($krbclient, + $krbserver, + $password, + $credentials); + $validated = ($krbreturn == 1); + } + else { + $validated = 0; + } + } + elsif ($howpwd eq "localauth") { + # Authenticate via installation specific authentcation method: + $validated = &localauth::localauth($user, + $password, + $contentpwd); + } + else { # Unrecognized auth is also bad. + $validated = 0; + } + } else { + $validated = 0; + } + # + # $validated has the correct stat of the authentication: + # + + unless ($validated != -3.14159) { + die "ValidateUser - failed to set the value of validated"; + } + return $validated; +} + + sub addline { my ($fname,$hostid,$ip,$newline)=@_; my $contents;