Windows password support.

9ce3dc56 · Russ Fish · ec51614c · 9ce3dc56 · 9ce3dc56 · 9ce3dc56
Commit 9ce3dc56 authored Jan 25, 2005 by Russ Fish
5 changed files
--- a/tmcd/common/config/rc.accounts
+++ b/tmcd/common/config/rc.accounts
@@ -111,8 +111,8 @@ sub doboot()
    my %GRPDB;

    print STDOUT "Checking Testbed user accounts configuration ... \n";
-
-    if (tmcc(TMCCCMD_ACCT, undef, \@tmccresults) < 0) {
+    my $arg = WINDOWS() ? "windows" : undef;
+    if (tmcc(TMCCCMD_ACCT, $arg, \@tmccresults) < 0) {
 	fatal("Could not get account info from server!");
    }
    # Important; if no results then do nothing. We do not want to remove

--- a/tmcd/common/libtmcc.pm
+++ b/tmcd/common/libtmcc.pm
@@ -539,7 +539,7 @@ sub tmccgetconfig()
    }
   
    # XXX  Can't "use libsetup" in libtmcc to reference the WINDOWS() function.
-    my $arg = (-e "$ETCDIR/iscygwin") ? "pubkeys" : undef;
+    my $arg = (-e "$ETCDIR/iscygwin") ? "windows" : undef;
    if (runtmcc("fullconfig", $arg, \@tmccresults) < 0 ||
 	!scalar(@tmccresults)) {
 	warn("*** WARNING: Could not get fullconfig from tmcd!\n");

--- a/tmcd/cygwinxp/rc.cygwinxp-user
+++ b/tmcd/cygwinxp/rc.cygwinxp-user
@@ -34,7 +34,7 @@ user=`id -un`
 if [ $user == root ]; then
    user=`tmcc creator | sed 's|.*SWAPPER=\([^ ]*\).*|\1|'`
 fi
-pswd=`tmcc accounts | awk '/^ADDUSER LOGIN='$user' /{print substr($0,index($0," PSWD=")+9,8)}'`
+pswd=`tmcc accounts windows | awk '/^ADDUSER LOGIN='$user' /{print substr($0,index($0," PSWD=")+9,8)}'`
 if [ -z "$pswd" ]; then
    echo "No account for user $user, so no remote file access."
    sleep 5

--- a/tmcd/tmcd.c
+++ b/tmcd/tmcd.c
@@ -1643,14 +1643,15 @@ COMMAND_PROTOTYPE(doaccounts)
 				 "  u.emulab_pubkey,u.home_pubkey, "
 				 "  UNIX_TIMESTAMP(u.usr_modified), "
 				 "  u.usr_email,u.usr_shell, "
-				 "  u.widearearoot,u.wideareajailroot "
+				 "  u.widearearoot,u.wideareajailroot, "
+				 "  u.usr_w_pswd "
 				 "from group_membership as p "
 				 "left join users as u on p.uid=u.uid "
 				 "left join groups as g on "
 				 "     p.pid=g.pid and p.gid=g.gid "
 				 "where ((p.pid='%s')) and p.trust!='none' "
 				 "      and u.status='active' order by u.uid",
-				 16, reqp->pid);
+				 17, reqp->pid);
 	}
 	else if (reqp->jailflag) {
 		/*
@@ -1663,7 +1664,8 @@ COMMAND_PROTOTYPE(doaccounts)
 			     "  u.emulab_pubkey,u.home_pubkey, "
 			     "  UNIX_TIMESTAMP(u.usr_modified), "
 			     "  u.usr_email,u.usr_shell, "
-			     "  u.widearearoot,u.wideareajailroot "
+			     "  u.widearearoot,u.wideareajailroot, "
+			     "  u.usr_w_pswd "
 			     "from group_membership as p "
 			     "left join users as u on p.uid=u.uid "
 			     "left join groups as g on "
@@ -1671,7 +1673,7 @@ COMMAND_PROTOTYPE(doaccounts)
 			     "where (p.pid='%s') and p.trust!='none' "
 			     "      and u.status='active' and u.admin=1 "
 			     "      order by u.uid",
-			     16, RELOADPID);
+			     17, RELOADPID);
 	}
 	else {
 		/*
@@ -1690,7 +1692,8 @@ COMMAND_PROTOTYPE(doaccounts)
 				 "u.emulab_pubkey,u.home_pubkey, "
 				 "UNIX_TIMESTAMP(u.usr_modified), "
 				 "u.usr_email,u.usr_shell, "
-				 "u.widearearoot,u.wideareajailroot "
+				 "u.widearearoot,u.wideareajailroot, "
+				 "u.usr_w_pswd "
 				 "from projects as p "
 				 "left join group_membership as m "
 				 "  on m.pid=p.pid "
@@ -1702,7 +1705,7 @@ COMMAND_PROTOTYPE(doaccounts)
 				 "      and m.trust!='none' "
 				 "      and u.status='active' "
 				 "order by u.uid",
-				 16, reqp->type);
+				 17, reqp->type);
 	}

 	if (!res) {
@@ -1726,6 +1729,7 @@ COMMAND_PROTOTYPE(doaccounts)
 		int		auxgids[128], gcount = 0;
 		char		glist[BUFSIZ];
 		char		*bufp = buf, *ebufp = &buf[sizeof(buf)];
+		char		*pswd, *wpswd, wpswd_buf[9];

 		gidint     = -1;
 		tbadmin    = root = atoi(row[8]);
@@ -1780,6 +1784,7 @@ COMMAND_PROTOTYPE(doaccounts)
 				break;
 			row = nextrow;
 		}
+
 		/*
 		 * widearearoot and wideareajailroot override trust values
 		 * from the project (above). Of course, tbadmin overrides
@@ -1794,6 +1799,30 @@ COMMAND_PROTOTYPE(doaccounts)
 			if (tbadmin)
 				root = 1;
 		}
+
+		/* There is an optional Windows password column. */
+		pswd = row[1];
+		wpswd = row[16];
+		if (strncmp(rdata, "windows", 7) == 0) {
+			if (wpswd != NULL && strlen(wpswd) > 0) {
+				row[1] = wpswd;
+			}
+			else {
+
+				/* The initial random default for the Windows Password
+				 * is based on the Unix encrypted password hash, in
+				 * particular the random salt when it's an MD5 crypt.
+				 * THis is the 8 characters after an initial "$1$" and
+				 * followed by a "$".  Just use the first 8 chars if
+				 * the hash is not an MD5 crypt.
+				 */
+				strncpy(wpswd_buf, 
+					(strncmp(pswd,"$1$",3)==0) ? pswd + 3 : pswd,
+					8);
+				wpswd_buf[8]='\0';
+				row[1] = wpswd_buf;
+			}
+		}
 		 
 		/*
 		 * Okay, process the UID. If there is no primary gid,
@@ -1871,7 +1900,8 @@ COMMAND_PROTOTYPE(doaccounts)
 		 * sending back pubkey stuff; it's never used except on CygWin.
 		 * Add an argument of "pubkeys" to get the PUBKEY data on CygWin.
 		 */
-		if (reqp->islocal && strncmp(rdata, "pubkeys", 7) != 0)
+		if (reqp->islocal && (strncmp(rdata, "pubkeys", 7) != 0
+				      || strncmp(rdata, "windows", 7) != 0))
 			goto skipsshkeys;

 		/*

--- a/www/moduserinfo.php3
+++ b/www/moduserinfo.php3
@@ -254,6 +254,32 @@ function SPITFORM($formfields, $errors)
                             size=8></td>
             </tr>\n";

+	# Windows Password.  Initial random default is based on the Unix
+	# password hash.
+	# 
+	# A separate password is kept for experiment nodes running Windows.
+	# It is presented behind-the-scenes to rdesktop and Samba by our Web
+	# interface, but you may still need to type it.  The default password
+	# is randomly generated.  You may change it to something easier to
+	# remember.
+	#
+	echo "<tr>
+                  <td colspan=2>Windows Password[<b>1,4</b>]:</td>
+                  <td class=left>
+                      <input type=text
+                             name=\"formfields[w_password1]\"
+                             value=\"" . $formfields[w_password1] . "\"
+                             size=8></td>
+              </tr>\n";
+
+        echo "<tr>
+                  <td colspan=2>Retype Windows Password:</td>
+                  <td class=left>
+                      <input type=text
+                             name=\"formfields[w_password2]\"
+                             size=8></td>
+             </tr>\n";
+
        #
 	# Planetlab bit. This should really be a drop down menu of the choices.
 	#
@@ -312,6 +338,11 @@ function SPITFORM($formfields, $errors)
                 were added later, so
                 some early users will be forced to adjust their addresses
                 before they can proceed. Sorry for the inconvenience.
+            <li> A separate password is kept for experiment nodes running
+                 Windows.  It is presented behind-the-scenes to rdesktop and
+                 Samba by our Web interface, but you may still need to type
+                 it.  The default password is randomly generated.  You may
+                 change it to something easier to remember.
          </ol>
          </blockquote></blockquote>
          </h4>\n";
@@ -392,6 +423,22 @@ $defaults[usr_shell]   = $row[usr_shell];
 $defaults[notes]       = $row[notes];
 $defaults[user_interface] = $row[user_interface];

+# Show and keep the Windows password if user-set, otherwise fill in the random one.
+if (strcmp($row[usr_w_pswd],""))
+    $defaults[w_password1] = $defaults[w_password2] = $row[usr_w_pswd];
+else {
+    # The initial random default for the Windows Password is based on the Unix
+    # encrypted password, in particular the random salt if it's an MD5 crypt,
+    # consisting of the 8 characters after an initial "$1$" and followed by a "$". 
+    $unixpwd = explode('$', $row[usr_pswd]);
+    if (strlen($unixpwd[0]) > 0)
+	# When there's no $ at the beginning, it's not an MD5 hash.
+	$randpwd = substr($unixpwd[0],0,8);
+    else
+	$randpwd = substr($unixpwd[2],0,8); # The MD5 salt string.
+    $defaults[w_password1] = $defaults[w_password2] = $randpwd;
+}
+
 #
 # On first load, display a form consisting of current user values, and exit.
 #
@@ -519,6 +566,22 @@ if (isset($formfields[password1]) &&
 	$errors["Password"] = "$checkerror";
    }
 }
+if (isset($formfields[w_password1]) &&
+    strcmp($formfields[w_password1], "")) {
+    if (!isset($formfields[w_password2]) ||
+	strcmp($formfields[w_password2], "") == 0) {
+	$errors["Retype Windows Password"] = "Missing Field";
+    }
+    elseif (strcmp($formfields[w_password1], $formfields[w_password2])) {
+	$errors["Retype Windows Password"] = "Two Windows Passwords Do Not Match";
+    }
+    elseif (! CHECKPASSWORD($formfields[target_uid],
+			    $formfields[w_password1],
+			    $formfields[usr_name],
+			    $formfields[usr_email], $checkerror)) {
+	$errors["Windows Password"] = "$checkerror";
+    }
+}
 if (count($errors)) {
    SPITFORM($formfields, $errors);
    PAGEFOOTER();
@@ -538,6 +601,8 @@ $usr_phone    = $formfields[usr_phone];
 $usr_shell    = $formfields[usr_shell];
 $password1    = $formfields[password1];
 $password2    = $formfields[password2];
+$w_password1  = $formfields[w_password1];
+$w_password2  = $formfields[w_password2];

 if (! isset($formfields[usr_URL]) ||
    strcmp($formfields[usr_URL], "") == 0 ||
@@ -623,6 +688,20 @@ if ((isset($password1) && strcmp($password1, "")) &&
    }
 }

+#
+# See if the user is requesting to change the Windows password. We checked
+# them above when the form was submitted.
+#
+if ((isset($w_password1) && strcmp($w_password1, "")) &&
+    (isset($w_password2) && strcmp($w_password2, ""))) {
+
+    #
+    # Insert into database.
+    $insert_result =
+	DBQueryFatal("UPDATE users SET usr_w_pswd='$w_password1' ".
+		     "WHERE uid='$target_uid'");
+}
+
 #
 # Only admins can change the notes field. We do not bother to generate
 # any email or external updates for this.