add SRP user authentication method

Implement the SRP (Secure Remote Password) UAM for AFP,
as used by Apple Time Capsule.

The protocol uses SRP-6a with SHA-1,
MGF1 KDF, and RFC 5054 group #2 (1536-bit).

afppasswd is modified to operate on SRP storage file by default,
which stores per-user salts and verifiers.

afppasswd retains the legacy RandNum functionality
activated with the -r flag.

afppasswd -a now takes username as argument rather than previous
positional username arugment

Author: rdmark

bin/afppasswd/afppasswd.c

@@ -21,6 +21,7 @@ executable(
     link_with: afppasswd_libs,
     c_args: [
         afpdpwfile,
+        afpdsrppwfile,
         dversion,
     ],
     install: true,

bin/afppasswd/meson.build

@@ -4,76 +4,130 @@ afppasswd — AFP password maintenance utility
 
 # Synopsis
 
-**afppasswd** [-acfn] [-p *afppasswd file*] [-u *minimum uid*] [-w *password string*]
+**afppasswd** [-cfn] [-r] [-a *username*] [-p *path*] [-u *minimum uid*] [-w *password string*]
 
-# Description
-
-**afppasswd** creates and maintains an *afppasswd* file, which supplies the
-user credentials for the "Randnum exchange" and "2-Way Randnum exchange"
-User Authentication Modules.
+**afppasswd** [-r]
 
-**afppasswd** can either be called by root with parameters to manage all
-user credentials, or by local system users with no parameters to change
-their own AFP passwords.
+# Description
 
-> ***NOTE:*** With this utility you can only change the passwords used by these two
-Random Number UAMs. As they provide only weak password encryption, their
-use is discouraged unless one has to support very old AFP clients that
-can not deal with the more secure "DHX" or "DHX2" UAMs.
+**afppasswd** creates and maintains the credential file used by the SRP
+("Secure Remote Password") UAM and, with **-r**, the legacy *afppasswd*
+file used by the "Randnum exchange" and "2-Way Randnum exchange" UAMs.
+
+By default **afppasswd** operates in **SRP mode** and stores per-user
+salts and verifiers in the SRP verifier file (default *afppasswd.srp*
+under the netatalk configuration directory, or whatever is configured
+via the "**srp passwd file**" option in **afp.conf**(5)). Pass **-r**
+to operate on the legacy Randnum file (default *afppasswd* under the
+netatalk configuration directory, or as configured via the
+"**passwd file**" option) instead.
+
+There are two invocation styles:
+
+- **As root**, **afppasswd** manages credentials for any system user.
+  The user is named with **-a** *username* (which both adds new entries
+  and updates existing ones), or the entire file is initialised at once
+  with **-c**.
+- **As a regular user**, **afppasswd** takes no positional arguments and
+  changes the calling user's own AFP password: for SRP by default and with
+  **-r** for the legacy RandNum UAM.
+
+The named user must already exist as a local system user.
+
+> ***NOTE:*** The legacy Randnum and 2-Way Randnum UAMs only provide
+weak password protection and are discouraged. They should only be enabled
+to support very old AFP clients that cannot use SRP, DHX, or DHX2.
+> If a file named `<passwd file>.key` exists, Randnum uses its hex-encoded
+> 8-byte DES key to encrypt the stored password; otherwise the password is
+> stored as raw hex in the legacy *afppasswd* file.
 
 # Examples
 
-Administrator initializing *afppasswd* file and adding a new user:
+Administrator initialising the SRP verifier file and adding a new user:
 
     example% sudo afppasswd -c
     example% sudo afppasswd -a newuser
     Enter NEW AFP password: (hidden)
     Enter NEW AFP password again: (hidden)
-    afppasswd: updated password.
+    afppasswd: updated SRP verifier.
+
+Administrator updating an existing user's SRP password:
 
-Note that newuser must already exist as a local system user.
+    example% sudo afppasswd -a someuser
 
-Local user changing their own password:
+Local user changing their own SRP password:
 
     example% afppasswd
-    Enter NEW AFP password: (hidden)
-    Enter NEW AFP password again: (hidden)
-    afppasswd: updated password.
+
+Administrator managing the legacy Randnum file at a non-default path:
+
+    example% sudo afppasswd -r -c -p /usr/local/etc/afppasswd
+    example% sudo afppasswd -r -a olduser -p /usr/local/etc/afppasswd
 
 # Options
 
-**-a**
+**-a** *username*
 
-> Add a new user to the *afppasswd* file.
+> Add or update the named user. Required when an administrator operates
+> on a specific user. Non-root invocations always operate on the calling
+> user and do not accept this option.
 
 **-c**
 
-> Create and/or initialize *afppasswd* file or specific user.
+> Create and initialise the password/verifier file. Existing entries are
+> populated as placeholders for every local system user with a uid at or
+> above the **-u** threshold; passwords still need to be set individually
+> with **-a**.
 
 **-f**
 
-> Force the current action.
+> Force the action. With **-c**, allows overwriting an existing
+> password/verifier file.
+
+**-r**
+
+> Operate on the legacy Randnum *afppasswd* file instead of the SRP
+> verifier file. Affects which file is read or created and which default
+> path is used when **-p** is not given.
 
 **-p** *path*
 
-> Path to *afppasswd* file.
+> Override the default path of the password/verifier file. The default is
+> the SRP verifier file in SRP mode and the Randnum *afppasswd* file with
+> **-r**; both defaults can also be configured globally in **afp.conf**(5)
+> via "**srp passwd file**" and "**passwd file**" respectively.
 
 **-n**
 
-> If cracklib support is built into *netatalk* this option will cause
-cracklib checking to be disabled, if the superuser does not want to have
-the password run against the cracklib dictionary.
+> If cracklib support is built into *netatalk*, this option disables
+> cracklib checking, in case the superuser does not want to run the
+> password against the cracklib dictionary.
 
 **-u** *minimum uid*
 
-> This is the minimum *user id* (uid) that **afppasswd** will use when
-creating users.
+> The minimum *user id* (uid) that **afppasswd** considers when **-c**
+> walks the local user database to populate the file. Defaults to 100.
 
 **-w** *password string*
 
-> Use string as password, instead of typing it interactively. Please use
-this option only if absolutely necessary, since the password may remain
-in the terminal history in plain text.
+> Use *string* as the password instead of typing it interactively. Use
+> this option only when absolutely necessary, since the password may
+> remain in the terminal history in plain text.
+
+# Files
+
+*afppasswd.srp*
+
+> Default SRP verifier file, located under the netatalk configuration
+> directory. One line per user, formatted as
+> *username:hex_salt:hex_verifier*. Override with **-p** or with the
+> "**srp passwd file**" option in **afp.conf**(5).
+
+*afppasswd*
+
+> Default legacy Randnum file, located under the netatalk configuration
+> directory. Used only with **-r**. Override with **-p** or with the
+> "**passwd file**" option in **afp.conf**(5).
 
 # See Also
 

doc/manpages/man1/afppasswd.1.md

@@ -239,16 +239,6 @@ nt domain = *domain* **(G)**; nt separator = *SEPARATOR* **(G)**
 username from login and then tries to authenticate with the result
 through the available and active UAM authentication modules.
 
-save password = *BOOLEAN* (default: *yes*) **(G)**
-
-> Enables or disables the ability of clients to save passwords locally.
-Setting this option to *no* will send this hint to clients, but it is up to the client to honor it.
-
-set password = *BOOLEAN* (default: *no*) **(G)**
-
-> Enables or disables the ability of clients to change their passwords.
-Setting this option to *yes* will allow clients to change their passwords if the UAM in use supports this feature.
-
 uam list = *uam list* **(G)**
 
 > Space or comma separated list of UAMs. (The default is "uams_dhx.so
@@ -271,7 +261,6 @@ in the clear. Compatible with Mac OS 9 and earlier.
 authentication (requires a separate file containing the passwords,
 either the default *afppasswd* file or the one specified via
 "**passwd file**"). See **afppasswd**(1) for details.
-Compatible with Mac OS 9 and earlier.
 >
 > uams_dhx.so
 >
@@ -285,7 +274,12 @@ Compatible with Mac OS 9 and earlier.
 >
 > uam_gss.so
 >
-> > Allow Kerberos V for authentication (optional)
+> > Allow Kerberos V for authentication
+>
+> uams_srp.so
+> > Allow SRP ("Secure Remote Password") for authentication. Requires a separate
+file containing the SRP salts and verifiers, either the default *afppasswd.srp* file
+or the one specified via "**srp passwd file**". See **afppasswd**(1) for details.
 
 uam path = *path* **(G)**
 
@@ -346,12 +340,26 @@ same as **unix charset**.
 
 passwd file = *path* **(G)**
 
-> Sets the path to the Randnum UAM *afppasswd* file for this server.
+> Sets the path to the Randnum UAM password file for this server.
 
 passwd minlen = *number* **(G)**
 
 > Sets the minimum password length, if supported by the UAM
 
+save password = *BOOLEAN* (default: *yes*) **(G)**
+
+> Enables or disables the ability of clients to save passwords locally.
+Setting this option to *no* will send this hint to clients, but it is up to the client to honor it.
+
+set password = *BOOLEAN* (default: *no*) **(G)**
+
+> Enables or disables the ability of clients to change their passwords.
+Setting this option to *yes* will allow clients to change their passwords if the UAM in use supports this feature.
+
+srp passwd file = *path* **(G)**
+
+> Sets the path to the SRP UAM verifier file for this server.
+
 ## Network Options
 
 advertise ssh = *BOOLEAN* (default: *no*) **(G)**

doc/manpages/man5/afp.conf.5.md

@@ -23,7 +23,9 @@ Netatalk supports the following UAMs by default:
 
 - "DHCAST128" UAM (a.k.a. DHX; stronger password encryption)
 
-- "DHX2" UAM (successor of DHCAST128)
+- "DHX2" UAM (successor of DHCAST128 with even stronger password encryption)
+
+- "SRP" UAM ("Secure Remote Password", strongest password encryption, separate verifier storage)
 
 With Kerberos support enabled at compile time, Netatalk also supports:
 
@@ -68,16 +70,17 @@ DHX2 is sufficient and provides the strongest encryption.
 
 - "Randnum exchange"/"2-Way Randnum exchange" uses only 56-bit DES for encryption,
   so it should also be avoided.
-  An additional disadvantage is that passwords must be stored in cleartext on the server,
-  and these UAMs do not integrate with PAM or classic */etc/shadow*.
-  You must administer passwords separately using the **afppasswd** utility.
+  An additional disadvantage is that passwords must be stored as raw hex on the server.
 
     However, this is the strongest form of authentication available for
     Macintosh System Software 7.1 or earlier.
 
 - "DHCAST128" ("DHX") or "DHX2" is the best choice for most users,
   combining stronger encryption with PAM integration.
 
+- "SRP" is the strongest UAM, but it requires a separate file to store per-user salts and verifiers.
+  If you don't mind the extra maintenance overhead of this file, SRP is the best choice for security-conscious users.
+
 - The Kerberos V ("Client Krb v2")
   UAM enables true single sign-on scenarios using Kerberos tickets.
   The password is not sent over the network.
@@ -92,7 +95,21 @@ For a more detailed overview of the technical implications of the different UAMs
 see Apple's [File Server Security](http://developer.apple.com/library/mac/#documentation/Networking/Conceptual/AFP/AFPSecurity/AFPSecurity.html#//apple_ref/doc/uid/TP40000854-CH232-SW1)
 documentation.
 
-## Using different authentication sources with specific UAMs
+## Password storage
+
+Randnum and SRP do not use system passwords directly. They both rely on
+separate files managed with **afppasswd**:
+
+- **Randnum** uses the legacy *afppasswd* file. By default it stores the raw
+  password as hex. If an optional key file exists alongside the Randnum
+  password file (same path with a `.key` suffix), the stored password is
+  DES-encrypted using that key instead. To use a key file, create
+  `<passwd file>.key` containing 16 hex characters (8 bytes) and restrict
+  permissions (for example, owner-readable only).
+
+- **SRP** uses *afppasswd.srp*, which stores per-user salts and verifiers.
+
+## Using different authentication backends
 
 Some UAMs support different authentication backends,
 namely **uams_clrtxt.so**, **uams_dhx.so**, and **uams_dhx2.so**.
@@ -114,19 +131,18 @@ The main advantage of PAM is that it integrates Netatalk into centralized authen
 such as LDAP, NIS, and similar systems.
 Keep in mind that the security of your users' login credentials in such scenarios
 also depends on the encryption strength of the UAM in use.
-Consider eliminating weak UAMs like "ClearTxt Passwrd" and "Randnum exchange" entirely from your network.
 
 ## Netatalk UAM overview table
 
 An overview of the officially supported UAMs on Macs.
 
-| UAM              | No User Auth  | Cleartxt Passwrd | RandNum Exchange | DHCAST128    | DHX2          | Kerberos V       |
-|------------------|---------------|------------------|------------------|--------------|---------------|------------------|
-| Password length  | guest access  | max 8 chars      | max 8 chars      | max 64 chars | max 256 chars | Kerberos tickets |
-| Client support   | built-in into all Mac OS versions | built-in in all Mac OS versions except 10.0. Has to be activated explicitly in later Mac OS X versions | built-in into almost all Mac OS versions | built-in since AppleShare client 3.8.4, available as a plug-in for 3.8.3, integrated in macOS's AFP client | built-in since Mac OS X 10.2 | built-in since Mac OS X 10.2 |
-| Encryption       | Enables guest access without authentication between client and server. | Password will be sent in cleartext over the wire. Just as bad as it sounds, therefore avoid at all if possible (note: providing NetBoot services requires the ClearTxt UAM) | 8-byte random numbers are sent over the wire, comparable with DES, 56 bits. Vulnerable to offline dictionary attack. Requires passwords in clear on the server. | Password will be encrypted with 128 bit CAST, user will be authenticated against the server but not vice versa. Therefore weak against man-in-the-middle attacks. | Password will be encrypted with 128 bit CAST in CBC mode. User will be authenticated against the server but not vice versa. Therefore weak against man-in-the-middle attacks. | Password is not sent over the network. Due to the service principal detection method, this authentication method is vulnerable to man-in-the-middle attacks. |
-| Server support   | uams_guest.so | uams_clrtxt.so   | uams_randnum.so  | uams_dhx.so  | uams_dhx2.so  | uams_gss.so      |
-| Password storage | None          | Either system auth or PAM | Passwords stored in clear text in a separate text file | Either system auth or PAM | Either system auth or PAM | At the Kerberos Key Distribution Center |
+| UAM              | No User Auth  | Cleartxt Passwrd | RandNum Exchange | DHCAST128    | DHX2          | Kerberos V       | SRP              |
+| ---------------- | ------------- | ---------------- | ---------------- | ------------ | ------------- | ---------------- | ---------------- |
+| Password length  | guest access  | max 8 chars      | max 8 chars      | max 64 chars | max 256 chars | Kerberos tickets | max 256 chars    |
+| Client support   | built-in into all Mac OS versions | built-in in all Mac OS versions except 10.0. Has to be activated explicitly in later Mac OS X versions | built-in into almost all Mac OS versions | built-in since AppleShare client 3.8.4, available as a plug-in for 3.8.3, integrated in macOS's AFP client | built-in since Mac OS X 10.2 | built-in since Mac OS X 10.2 | built-in since Mac OS X 10.7 |
+| Encryption       | Enables guest access without authentication between client and server. | Password will be sent in cleartext over the wire. Just as bad as it sounds, therefore avoid at all costs. | 8-byte random numbers are sent over the wire, comparable with DES, 56 bits. Vulnerable to offline dictionary attack. Requires passwords in clear on the server. | Password will be encrypted with 128 bit CAST, user will be authenticated against the server but not vice versa. Therefore weak against man-in-the-middle attacks. | Password will be encrypted with 128 bit CAST in CBC mode. User will be authenticated against the server but not vice versa. Therefore weak against man-in-the-middle attacks. | Password is not sent over the network. Due to the service principal detection method, this authentication method is vulnerable to man-in-the-middle attacks. | Password is never sent; SRP uses a verifier and mutual proofs (M1/M2) to authenticate both client and server, providing protection against man‑in‑the‑middle attacks. |
+| Server support   | uams_guest.so | uams_clrtxt.so   | uams_randnum.so  | uams_dhx.so  | uams_dhx2.so  | uams_gss.so      | uams_srp.so      |
+| Password storage | None          | Either system auth or PAM | Separate *afppasswd* file; raw hex or DES-encrypted with *.key* | Either system auth or PAM | Either system auth or PAM | At the Kerberos Key Distribution Center | In a separate *afppasswd.srp* verifier file |
 
 Note that a number of open-source and other third-party AFP clients exist.
 Refer to their documentation for a list of supported UAMs.

doc/manual/Authentication.md

@@ -426,6 +426,11 @@ int uam_afpserver_option(void *private, const int what, void *option,
             *len = strlen(obj->options.passwdfile);
             break;
 
+        case UAM_PASSWD_SRP_FILENAME:
+            *buf = obj->options.srppasswdfile;
+            *len = strlen(obj->options.srppasswdfile);
+            break;
+
         case UAM_PASSWD_MINLENGTH:
             *((int *) option) = obj->options.passwdminlen;
             *len = sizeof(obj->options.passwdminlen);

etc/afpd/uam.c

@@ -75,6 +75,18 @@ library(
     install_dir: libdir / 'netatalk',
 )
 
+library(
+    'uams_srp',
+    ['uams_srp.c'],
+    include_directories: root_includes,
+    dependencies: [libgcrypt],
+    name_prefix: '',
+    name_suffix: lib_suffix,
+    override_options: 'b_lundef=false',
+    install: true,
+    install_dir: libdir / 'netatalk',
+)
+
 if have_pam
     library(
         'uams_dhx_pam',