Annotation of embedaddon/sudo/plugins/sudoers/auth/securid5.c, revision 1.1.1.1
1.1 misho 1: /*
2: * Copyright (c) 1999-2005, 2007, 2010-2011
3: * Todd C. Miller <Todd.Miller@courtesan.com>
4: * Copyright (c) 2002 Michael Stroucken <michael@stroucken.org>
5: *
6: * Permission to use, copy, modify, and distribute this software for any
7: * purpose with or without fee is hereby granted, provided that the above
8: * copyright notice and this permission notice appear in all copies.
9: *
10: * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11: * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12: * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13: * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14: * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15: * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16: * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17: * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
18: * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
19: * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
20: *
21: * Sponsored in part by the Defense Advanced Research Projects
22: * Agency (DARPA) and Air Force Research Laboratory, Air Force
23: * Materiel Command, USAF, under agreement number F39502-99-1-0512.
24: */
25:
26: #include <config.h>
27:
28: #include <sys/types.h>
29: #include <sys/param.h>
30: #include <stdio.h>
31: #ifdef STDC_HEADERS
32: # include <stdlib.h>
33: # include <stddef.h>
34: #else
35: # ifdef HAVE_STDLIB_H
36: # include <stdlib.h>
37: # endif
38: #endif /* STDC_HEADERS */
39: #ifdef HAVE_STRING_H
40: # include <string.h>
41: #endif /* HAVE_STRING_H */
42: #ifdef HAVE_STRINGS_H
43: # include <strings.h>
44: #endif /* HAVE_STRINGS_H */
45: #ifdef HAVE_UNISTD_H
46: # include <unistd.h>
47: #endif /* HAVE_UNISTD_H */
48: #include <pwd.h>
49:
50: /* Needed for SecurID v5.0 Authentication on UNIX */
51: #define UNIX 1
52: #include <acexport.h>
53: #include <sdacmvls.h>
54:
55: #include "sudoers.h"
56: #include "sudo_auth.h"
57:
58: /*
59: * securid_init - Initialises communications with ACE server
60: * Arguments in:
61: * pw - UNUSED
62: * auth - sudo authentication structure
63: *
64: * Results out:
65: * auth - auth->data contains pointer to new SecurID handle
66: * return code - Fatal if initialization unsuccessful, otherwise
67: * success.
68: */
69: int
70: securid_init(struct passwd *pw, sudo_auth *auth)
71: {
72: static SDI_HANDLE sd_dat; /* SecurID handle */
73:
74: auth->data = (void *) &sd_dat; /* For method-specific data */
75:
76: /* Start communications */
77: if (AceInitialize() != SD_FALSE)
78: return AUTH_SUCCESS;
79:
80: warningx(_("failed to initialise the ACE API library"));
81: return AUTH_FATAL;
82: }
83:
84: /*
85: * securid_setup - Initialises a SecurID transaction and locks out other
86: * ACE servers
87: *
88: * Arguments in:
89: * pw - struct passwd for username
90: * promptp - UNUSED
91: * auth - sudo authentication structure for SecurID handle
92: *
93: * Results out:
94: * return code - Success if transaction started correctly, fatal
95: * otherwise
96: */
97: int
98: securid_setup(struct passwd *pw, char **promptp, sudo_auth *auth)
99: {
100: SDI_HANDLE *sd = (SDI_HANDLE *) auth->data;
101: int retval;
102:
103: /* Re-initialize SecurID every time. */
104: if (SD_Init(sd) != ACM_OK) {
105: warningx(_("unable to contact the SecurID server"));
106: return AUTH_FATAL;
107: }
108:
109: /* Lock new PIN code */
110: retval = SD_Lock(*sd, pw->pw_name);
111:
112: switch (retval) {
113: case ACM_OK:
114: warningx(_("User ID locked for SecurID Authentication"));
115: return AUTH_SUCCESS;
116:
117: case ACE_UNDEFINED_USERNAME:
118: warningx(_("invalid username length for SecurID"));
119: return AUTH_FATAL;
120:
121: case ACE_ERR_INVALID_HANDLE:
122: warningx(_("invalid Authentication Handle for SecurID"));
123: return AUTH_FATAL;
124:
125: case ACM_ACCESS_DENIED:
126: warningx(_("SecurID communication failed"));
127: return AUTH_FATAL;
128:
129: default:
130: warningx(_("unknown SecurID error"));
131: return AUTH_FATAL;
132: }
133: }
134:
135: /*
136: * securid_verify - Authenticates user and handles ACE responses
137: *
138: * Arguments in:
139: * pw - struct passwd for username
140: * pass - UNUSED
141: * auth - sudo authentication structure for SecurID handle
142: *
143: * Results out:
144: * return code - Success on successful authentication, failure on
145: * incorrect authentication, fatal on errors
146: */
147: int
148: securid_verify(struct passwd *pw, char *pass, sudo_auth *auth)
149: {
150: SDI_HANDLE *sd = (SDI_HANDLE *) auth->data;
151: int rval;
152:
153: pass = auth_getpass("Enter your PASSCODE: ",
154: def_passwd_timeout * 60, SUDO_CONV_PROMPT_ECHO_OFF);
155:
156: /* Have ACE verify password */
157: switch (SD_Check(*sd, pass, pw->pw_name)) {
158: case ACM_OK:
159: rval = AUTH_SUCESS;
160: break;
161:
162: case ACE_UNDEFINED_PASSCODE:
163: warningx(_("invalid passcode length for SecurID"));
164: rval = AUTH_FATAL;
165: break;
166:
167: case ACE_UNDEFINED_USERNAME:
168: warningx(_("invalid username length for SecurID"));
169: rval = AUTH_FATAL;
170: break;
171:
172: case ACE_ERR_INVALID_HANDLE:
173: warningx(_("invalid Authentication Handle for SecurID"));
174: rval = AUTH_FATAL;
175: break;
176:
177: case ACM_ACCESS_DENIED:
178: rval = AUTH_FAILURE;
179: break;
180:
181: case ACM_NEXT_CODE_REQUIRED:
182: /* Sometimes (when current token close to expire?)
183: ACE challenges for the next token displayed
184: (entered without the PIN) */
185: pass = auth_getpass("\
186: !!! ATTENTION !!!\n\
187: Wait for the token code to change, \n\
188: then enter the new token code.\n", \
189: def_passwd_timeout * 60, SUDO_CONV_PROMPT_ECHO_OFF);
190:
191: if (SD_Next(*sd, pass) == ACM_OK) {
192: rval = AUTH_SUCCESS;
193: break;
194: }
195:
196: rval = AUTH_FAILURE;
197: break;
198:
199: case ACM_NEW_PIN_REQUIRED:
200: /*
201: * This user's SecurID has not been activated yet,
202: * or the pin has been reset
203: */
204: /* XXX - Is setting up a new PIN within sudo's scope? */
205: SD_Pin(*sd, "");
206: fprintf(stderr, "Your SecurID access has not yet been set up.\n");
207: fprintf(stderr, "Please set up a PIN before you try to authenticate.\n");
208: rval = AUTH_FATAL;
209: break;
210:
211: default:
212: warningx(_("unknown SecurID error"));
213: rval = AUTH_FATAL;
214: break;
215: }
216:
217: /* Free resources */
218: SD_Close(*sd);
219:
220: /* Return stored state to calling process */
221: return rval;
222: }
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>