Annotation of embedaddon/sudo/plugins/sudoers/auth/securid5.c, revision 1.1
1.1 ! misho 1: /*
! 2: * Copyright (c) 1999-2005, 2007, 2010-2011
! 3: * Todd C. Miller <Todd.Miller@courtesan.com>
! 4: * Copyright (c) 2002 Michael Stroucken <michael@stroucken.org>
! 5: *
! 6: * Permission to use, copy, modify, and distribute this software for any
! 7: * purpose with or without fee is hereby granted, provided that the above
! 8: * copyright notice and this permission notice appear in all copies.
! 9: *
! 10: * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
! 11: * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
! 12: * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
! 13: * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
! 14: * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
! 15: * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
! 16: * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
! 17: * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
! 18: * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
! 19: * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
! 20: *
! 21: * Sponsored in part by the Defense Advanced Research Projects
! 22: * Agency (DARPA) and Air Force Research Laboratory, Air Force
! 23: * Materiel Command, USAF, under agreement number F39502-99-1-0512.
! 24: */
! 25:
! 26: #include <config.h>
! 27:
! 28: #include <sys/types.h>
! 29: #include <sys/param.h>
! 30: #include <stdio.h>
! 31: #ifdef STDC_HEADERS
! 32: # include <stdlib.h>
! 33: # include <stddef.h>
! 34: #else
! 35: # ifdef HAVE_STDLIB_H
! 36: # include <stdlib.h>
! 37: # endif
! 38: #endif /* STDC_HEADERS */
! 39: #ifdef HAVE_STRING_H
! 40: # include <string.h>
! 41: #endif /* HAVE_STRING_H */
! 42: #ifdef HAVE_STRINGS_H
! 43: # include <strings.h>
! 44: #endif /* HAVE_STRINGS_H */
! 45: #ifdef HAVE_UNISTD_H
! 46: # include <unistd.h>
! 47: #endif /* HAVE_UNISTD_H */
! 48: #include <pwd.h>
! 49:
! 50: /* Needed for SecurID v5.0 Authentication on UNIX */
! 51: #define UNIX 1
! 52: #include <acexport.h>
! 53: #include <sdacmvls.h>
! 54:
! 55: #include "sudoers.h"
! 56: #include "sudo_auth.h"
! 57:
! 58: /*
! 59: * securid_init - Initialises communications with ACE server
! 60: * Arguments in:
! 61: * pw - UNUSED
! 62: * auth - sudo authentication structure
! 63: *
! 64: * Results out:
! 65: * auth - auth->data contains pointer to new SecurID handle
! 66: * return code - Fatal if initialization unsuccessful, otherwise
! 67: * success.
! 68: */
! 69: int
! 70: securid_init(struct passwd *pw, sudo_auth *auth)
! 71: {
! 72: static SDI_HANDLE sd_dat; /* SecurID handle */
! 73:
! 74: auth->data = (void *) &sd_dat; /* For method-specific data */
! 75:
! 76: /* Start communications */
! 77: if (AceInitialize() != SD_FALSE)
! 78: return AUTH_SUCCESS;
! 79:
! 80: warningx(_("failed to initialise the ACE API library"));
! 81: return AUTH_FATAL;
! 82: }
! 83:
! 84: /*
! 85: * securid_setup - Initialises a SecurID transaction and locks out other
! 86: * ACE servers
! 87: *
! 88: * Arguments in:
! 89: * pw - struct passwd for username
! 90: * promptp - UNUSED
! 91: * auth - sudo authentication structure for SecurID handle
! 92: *
! 93: * Results out:
! 94: * return code - Success if transaction started correctly, fatal
! 95: * otherwise
! 96: */
! 97: int
! 98: securid_setup(struct passwd *pw, char **promptp, sudo_auth *auth)
! 99: {
! 100: SDI_HANDLE *sd = (SDI_HANDLE *) auth->data;
! 101: int retval;
! 102:
! 103: /* Re-initialize SecurID every time. */
! 104: if (SD_Init(sd) != ACM_OK) {
! 105: warningx(_("unable to contact the SecurID server"));
! 106: return AUTH_FATAL;
! 107: }
! 108:
! 109: /* Lock new PIN code */
! 110: retval = SD_Lock(*sd, pw->pw_name);
! 111:
! 112: switch (retval) {
! 113: case ACM_OK:
! 114: warningx(_("User ID locked for SecurID Authentication"));
! 115: return AUTH_SUCCESS;
! 116:
! 117: case ACE_UNDEFINED_USERNAME:
! 118: warningx(_("invalid username length for SecurID"));
! 119: return AUTH_FATAL;
! 120:
! 121: case ACE_ERR_INVALID_HANDLE:
! 122: warningx(_("invalid Authentication Handle for SecurID"));
! 123: return AUTH_FATAL;
! 124:
! 125: case ACM_ACCESS_DENIED:
! 126: warningx(_("SecurID communication failed"));
! 127: return AUTH_FATAL;
! 128:
! 129: default:
! 130: warningx(_("unknown SecurID error"));
! 131: return AUTH_FATAL;
! 132: }
! 133: }
! 134:
! 135: /*
! 136: * securid_verify - Authenticates user and handles ACE responses
! 137: *
! 138: * Arguments in:
! 139: * pw - struct passwd for username
! 140: * pass - UNUSED
! 141: * auth - sudo authentication structure for SecurID handle
! 142: *
! 143: * Results out:
! 144: * return code - Success on successful authentication, failure on
! 145: * incorrect authentication, fatal on errors
! 146: */
! 147: int
! 148: securid_verify(struct passwd *pw, char *pass, sudo_auth *auth)
! 149: {
! 150: SDI_HANDLE *sd = (SDI_HANDLE *) auth->data;
! 151: int rval;
! 152:
! 153: pass = auth_getpass("Enter your PASSCODE: ",
! 154: def_passwd_timeout * 60, SUDO_CONV_PROMPT_ECHO_OFF);
! 155:
! 156: /* Have ACE verify password */
! 157: switch (SD_Check(*sd, pass, pw->pw_name)) {
! 158: case ACM_OK:
! 159: rval = AUTH_SUCESS;
! 160: break;
! 161:
! 162: case ACE_UNDEFINED_PASSCODE:
! 163: warningx(_("invalid passcode length for SecurID"));
! 164: rval = AUTH_FATAL;
! 165: break;
! 166:
! 167: case ACE_UNDEFINED_USERNAME:
! 168: warningx(_("invalid username length for SecurID"));
! 169: rval = AUTH_FATAL;
! 170: break;
! 171:
! 172: case ACE_ERR_INVALID_HANDLE:
! 173: warningx(_("invalid Authentication Handle for SecurID"));
! 174: rval = AUTH_FATAL;
! 175: break;
! 176:
! 177: case ACM_ACCESS_DENIED:
! 178: rval = AUTH_FAILURE;
! 179: break;
! 180:
! 181: case ACM_NEXT_CODE_REQUIRED:
! 182: /* Sometimes (when current token close to expire?)
! 183: ACE challenges for the next token displayed
! 184: (entered without the PIN) */
! 185: pass = auth_getpass("\
! 186: !!! ATTENTION !!!\n\
! 187: Wait for the token code to change, \n\
! 188: then enter the new token code.\n", \
! 189: def_passwd_timeout * 60, SUDO_CONV_PROMPT_ECHO_OFF);
! 190:
! 191: if (SD_Next(*sd, pass) == ACM_OK) {
! 192: rval = AUTH_SUCCESS;
! 193: break;
! 194: }
! 195:
! 196: rval = AUTH_FAILURE;
! 197: break;
! 198:
! 199: case ACM_NEW_PIN_REQUIRED:
! 200: /*
! 201: * This user's SecurID has not been activated yet,
! 202: * or the pin has been reset
! 203: */
! 204: /* XXX - Is setting up a new PIN within sudo's scope? */
! 205: SD_Pin(*sd, "");
! 206: fprintf(stderr, "Your SecurID access has not yet been set up.\n");
! 207: fprintf(stderr, "Please set up a PIN before you try to authenticate.\n");
! 208: rval = AUTH_FATAL;
! 209: break;
! 210:
! 211: default:
! 212: warningx(_("unknown SecurID error"));
! 213: rval = AUTH_FATAL;
! 214: break;
! 215: }
! 216:
! 217: /* Free resources */
! 218: SD_Close(*sd);
! 219:
! 220: /* Return stored state to calling process */
! 221: return rval;
! 222: }
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>