Date: Sat, 19 Jan 2002 20:13:55 +0300 From: "Andrey A. Chernov" <ache@nagual.pp.ru> To: Dag-Erling Smorgrav <des@ofug.org>, mark@grondar.za Cc: cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: PAM pacthes we discuss Message-ID: <20020119171353.GA11472@nagual.pp.ru> In-Reply-To: <xzp1ygm9vc8.fsf@flood.ping.uio.no> References: <200201190901.g0J91H641020@freefall.freebsd.org> <xzp1ygm9vc8.fsf@flood.ping.uio.no>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Jan 19, 2002 at 17:08:55 +0100, Dag-Erling Smorgrav wrote: > out and submit them to markm and myself for review, along with a Here is the patch, similar /etc/pam.d/* changes are not included, login.c/ftpd.c PAM_CRED_ERR addition not included too (I not insist on exact that error code). Index: pam_opie.c =================================================================== RCS file: /home/ncvs/src/lib/libpam/modules/pam_opie/pam_opie.c,v retrieving revision 1.7 retrieving revision 1.12 diff -u -r1.7 -r1.12 --- pam_opie.c 5 Dec 2001 16:06:27 -0000 1.7 +++ pam_opie.c 19 Jan 2002 10:09:05 -0000 1.12 @@ -36,7 +36,7 @@ */ #include <sys/cdefs.h> -__FBSDID("$FreeBSD: src/lib/libpam/modules/pam_opie/pam_opie.c,v 1.7 2001/12/05 16:06:27 des Exp $"); +__FBSDID("$FreeBSD: src/lib/libpam/modules/pam_opie/pam_opie.c,v 1.12 2002/01/19 10:09:05 ache Exp $"); #include <sys/types.h> #include <opie.h> @@ -66,13 +66,12 @@ struct opie opie; struct options options; struct passwd *pwd; - int retval, i; + int retval, i, pwok; char *(promptstr[]) = { "%s\nPassword: ", "%s\nPassword [echo on]: "}; char challenge[OPIE_CHALLENGE_MAX]; char prompt[OPIE_CHALLENGE_MAX+22]; char resp[OPIE_SECRET_MAX]; - const char *user; - const char *response; + const char *user, *response, *rhost; pam_std_option(&options, other_options, argc, argv); @@ -89,13 +88,16 @@ user = NULL; if (pam_test_option(&options, PAM_OPT_AUTH_AS_SELF, NULL)) { - pwd = getpwnam(getlogin()); + if ((pwd = getpwnam(getlogin())) == NULL) + PAM_RETURN(PAM_AUTH_ERR); user = pwd->pw_name; } else { retval = pam_get_user(pamh, (const char **)&user, NULL); if (retval != PAM_SUCCESS) PAM_RETURN(retval); + if ((pwd = getpwnam(user)) == NULL) + PAM_RETURN(PAM_AUTH_ERR); } PAM_LOG("Got user: %s", user); @@ -106,7 +108,14 @@ */ opiedisableaeh(); - opiechallenge(&opie, (char *)user, challenge); + if (opiechallenge(&opie, (char *)user, challenge) == 0) { + rhost = NULL; + (void) pam_get_item(pamh, PAM_RHOST, (const void **)&rhost); + pwok = (rhost != NULL) && (*rhost != '\0') && + opieaccessfile((char *)rhost) && + opiealways(pwd->pw_dir); + } else + PAM_RETURN(PAM_AUTH_ERR); for (i = 0; i < 2; i++) { snprintf(prompt, sizeof prompt, promptstr[i], challenge); retval = pam_get_pass(pamh, &response, prompt, &options); @@ -125,7 +134,7 @@ } /* We have to copy the response, because opieverify mucks with it. */ - snprintf(resp, sizeof resp, "%s", response); + strlcpy(resp, response, sizeof resp); /* * Opieverify is supposed to return -1 only if an error occurs. @@ -133,7 +142,10 @@ * it expects. Thus we can't log an error and can only check for * success or lack thereof. */ - retval = opieverify(&opie, resp) == 0 ? PAM_SUCCESS : PAM_AUTH_ERR; + if (opieverify(&opie, resp) != 0) + retval = pwok ? PAM_AUTH_ERR : PAM_CRED_ERR; + else + retval = PAM_SUCCESS; PAM_RETURN(retval); } --- su.orig Wed Dec 5 13:26:00 2001 +++ su Sat Jan 19 02:31:32 2002 @@ -1,5 +1,5 @@ # -# $FreeBSD: src/etc/pam.d/su,v 1.2 2001/12/05 21:26:00 des Exp $ +# $FreeBSD: src/etc/pam.d/su,v 1.3 2002/01/19 10:31:32 ache Exp $ # # PAM configuration for the "su" service # @@ -9,8 +9,8 @@ auth requisite pam_wheel.so no_warn auth_as_self noroot_ok #auth sufficient pam_kerberosIV.so no_warn #auth sufficient pam_krb5.so no_warn try_first_pass auth_as_self -#auth required pam_opie.so no_warn #auth required pam_ssh.so no_warn try_first_pass +auth [default=ignore success=done cred_err=die] pam_opie.so no_warn auth required pam_unix.so no_warn try_first_pass nullok #auth sufficient pam_rootok.so no_warn ##auth sufficient pam_kerberosIV.so no_warn -- Andrey A. Chernov http://ache.pp.ru/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020119171353.GA11472>