Date: Sat, 19 Jan 2002 20:13:55 +0300 From: "Andrey A. Chernov" <ache@nagual.pp.ru> To: Dag-Erling Smorgrav <des@ofug.org>, mark@grondar.za Cc: cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: PAM pacthes we discuss Message-ID: <20020119171353.GA11472@nagual.pp.ru> In-Reply-To: <xzp1ygm9vc8.fsf@flood.ping.uio.no> References: <200201190901.g0J91H641020@freefall.freebsd.org> <xzp1ygm9vc8.fsf@flood.ping.uio.no>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Jan 19, 2002 at 17:08:55 +0100, Dag-Erling Smorgrav wrote:
> out and submit them to markm and myself for review, along with a
Here is the patch, similar /etc/pam.d/* changes are not included,
login.c/ftpd.c PAM_CRED_ERR addition not included too (I not insist on
exact that error code).
Index: pam_opie.c
===================================================================
RCS file: /home/ncvs/src/lib/libpam/modules/pam_opie/pam_opie.c,v
retrieving revision 1.7
retrieving revision 1.12
diff -u -r1.7 -r1.12
--- pam_opie.c 5 Dec 2001 16:06:27 -0000 1.7
+++ pam_opie.c 19 Jan 2002 10:09:05 -0000 1.12
@@ -36,7 +36,7 @@
*/
#include <sys/cdefs.h>
-__FBSDID("$FreeBSD: src/lib/libpam/modules/pam_opie/pam_opie.c,v 1.7 2001/12/05 16:06:27 des Exp $");
+__FBSDID("$FreeBSD: src/lib/libpam/modules/pam_opie/pam_opie.c,v 1.12 2002/01/19 10:09:05 ache Exp $");
#include <sys/types.h>
#include <opie.h>
@@ -66,13 +66,12 @@
struct opie opie;
struct options options;
struct passwd *pwd;
- int retval, i;
+ int retval, i, pwok;
char *(promptstr[]) = { "%s\nPassword: ", "%s\nPassword [echo on]: "};
char challenge[OPIE_CHALLENGE_MAX];
char prompt[OPIE_CHALLENGE_MAX+22];
char resp[OPIE_SECRET_MAX];
- const char *user;
- const char *response;
+ const char *user, *response, *rhost;
pam_std_option(&options, other_options, argc, argv);
@@ -89,13 +88,16 @@
user = NULL;
if (pam_test_option(&options, PAM_OPT_AUTH_AS_SELF, NULL)) {
- pwd = getpwnam(getlogin());
+ if ((pwd = getpwnam(getlogin())) == NULL)
+ PAM_RETURN(PAM_AUTH_ERR);
user = pwd->pw_name;
}
else {
retval = pam_get_user(pamh, (const char **)&user, NULL);
if (retval != PAM_SUCCESS)
PAM_RETURN(retval);
+ if ((pwd = getpwnam(user)) == NULL)
+ PAM_RETURN(PAM_AUTH_ERR);
}
PAM_LOG("Got user: %s", user);
@@ -106,7 +108,14 @@
*/
opiedisableaeh();
- opiechallenge(&opie, (char *)user, challenge);
+ if (opiechallenge(&opie, (char *)user, challenge) == 0) {
+ rhost = NULL;
+ (void) pam_get_item(pamh, PAM_RHOST, (const void **)&rhost);
+ pwok = (rhost != NULL) && (*rhost != '\0') &&
+ opieaccessfile((char *)rhost) &&
+ opiealways(pwd->pw_dir);
+ } else
+ PAM_RETURN(PAM_AUTH_ERR);
for (i = 0; i < 2; i++) {
snprintf(prompt, sizeof prompt, promptstr[i], challenge);
retval = pam_get_pass(pamh, &response, prompt, &options);
@@ -125,7 +134,7 @@
}
/* We have to copy the response, because opieverify mucks with it. */
- snprintf(resp, sizeof resp, "%s", response);
+ strlcpy(resp, response, sizeof resp);
/*
* Opieverify is supposed to return -1 only if an error occurs.
@@ -133,7 +142,10 @@
* it expects. Thus we can't log an error and can only check for
* success or lack thereof.
*/
- retval = opieverify(&opie, resp) == 0 ? PAM_SUCCESS : PAM_AUTH_ERR;
+ if (opieverify(&opie, resp) != 0)
+ retval = pwok ? PAM_AUTH_ERR : PAM_CRED_ERR;
+ else
+ retval = PAM_SUCCESS;
PAM_RETURN(retval);
}
--- su.orig Wed Dec 5 13:26:00 2001
+++ su Sat Jan 19 02:31:32 2002
@@ -1,5 +1,5 @@
#
-# $FreeBSD: src/etc/pam.d/su,v 1.2 2001/12/05 21:26:00 des Exp $
+# $FreeBSD: src/etc/pam.d/su,v 1.3 2002/01/19 10:31:32 ache Exp $
#
# PAM configuration for the "su" service
#
@@ -9,8 +9,8 @@
auth requisite pam_wheel.so no_warn auth_as_self noroot_ok
#auth sufficient pam_kerberosIV.so no_warn
#auth sufficient pam_krb5.so no_warn try_first_pass auth_as_self
-#auth required pam_opie.so no_warn
#auth required pam_ssh.so no_warn try_first_pass
+auth [default=ignore success=done cred_err=die] pam_opie.so no_warn
auth required pam_unix.so no_warn try_first_pass nullok
#auth sufficient pam_rootok.so no_warn
##auth sufficient pam_kerberosIV.so no_warn
--
Andrey A. Chernov
http://ache.pp.ru/
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020119171353.GA11472>