Annotation of embedaddon/sudo/plugins/sudoers/auth/securid5.c, revision 1.1.1.2
1.1 misho 1: /*
2: * Copyright (c) 1999-2005, 2007, 2010-2011
3: * Todd C. Miller <Todd.Miller@courtesan.com>
4: * Copyright (c) 2002 Michael Stroucken <michael@stroucken.org>
5: *
6: * Permission to use, copy, modify, and distribute this software for any
7: * purpose with or without fee is hereby granted, provided that the above
8: * copyright notice and this permission notice appear in all copies.
9: *
10: * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11: * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12: * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13: * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14: * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15: * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16: * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17: * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
18: * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
19: * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
20: *
21: * Sponsored in part by the Defense Advanced Research Projects
22: * Agency (DARPA) and Air Force Research Laboratory, Air Force
23: * Materiel Command, USAF, under agreement number F39502-99-1-0512.
24: */
25:
26: #include <config.h>
27:
28: #include <sys/types.h>
29: #include <sys/param.h>
30: #include <stdio.h>
31: #ifdef STDC_HEADERS
32: # include <stdlib.h>
33: # include <stddef.h>
34: #else
35: # ifdef HAVE_STDLIB_H
36: # include <stdlib.h>
37: # endif
38: #endif /* STDC_HEADERS */
39: #ifdef HAVE_STRING_H
40: # include <string.h>
41: #endif /* HAVE_STRING_H */
42: #ifdef HAVE_STRINGS_H
43: # include <strings.h>
44: #endif /* HAVE_STRINGS_H */
45: #ifdef HAVE_UNISTD_H
46: # include <unistd.h>
47: #endif /* HAVE_UNISTD_H */
48: #include <pwd.h>
49:
50: /* Needed for SecurID v5.0 Authentication on UNIX */
51: #define UNIX 1
52: #include <acexport.h>
53: #include <sdacmvls.h>
54:
55: #include "sudoers.h"
56: #include "sudo_auth.h"
57:
58: /*
59: * securid_init - Initialises communications with ACE server
60: * Arguments in:
61: * pw - UNUSED
62: * auth - sudo authentication structure
63: *
64: * Results out:
65: * auth - auth->data contains pointer to new SecurID handle
66: * return code - Fatal if initialization unsuccessful, otherwise
67: * success.
68: */
69: int
1.1.1.2 ! misho 70: sudo_securid_init(struct passwd *pw, sudo_auth *auth)
1.1 misho 71: {
72: static SDI_HANDLE sd_dat; /* SecurID handle */
1.1.1.2 ! misho 73: debug_decl(sudo_securid_init, SUDO_DEBUG_AUTH)
1.1 misho 74:
75: auth->data = (void *) &sd_dat; /* For method-specific data */
76:
77: /* Start communications */
78: if (AceInitialize() != SD_FALSE)
1.1.1.2 ! misho 79: debug_return_int(AUTH_SUCCESS);
1.1 misho 80:
81: warningx(_("failed to initialise the ACE API library"));
1.1.1.2 ! misho 82: debug_return_int(AUTH_FATAL);
1.1 misho 83: }
84:
85: /*
86: * securid_setup - Initialises a SecurID transaction and locks out other
87: * ACE servers
88: *
89: * Arguments in:
90: * pw - struct passwd for username
91: * promptp - UNUSED
92: * auth - sudo authentication structure for SecurID handle
93: *
94: * Results out:
95: * return code - Success if transaction started correctly, fatal
96: * otherwise
97: */
98: int
1.1.1.2 ! misho 99: sudo_securid_setup(struct passwd *pw, char **promptp, sudo_auth *auth)
1.1 misho 100: {
101: SDI_HANDLE *sd = (SDI_HANDLE *) auth->data;
102: int retval;
1.1.1.2 ! misho 103: debug_decl(sudo_securid_setup, SUDO_DEBUG_AUTH)
1.1 misho 104:
105: /* Re-initialize SecurID every time. */
106: if (SD_Init(sd) != ACM_OK) {
107: warningx(_("unable to contact the SecurID server"));
1.1.1.2 ! misho 108: debug_return_int(AUTH_FATAL);
1.1 misho 109: }
110:
111: /* Lock new PIN code */
112: retval = SD_Lock(*sd, pw->pw_name);
113:
114: switch (retval) {
115: case ACM_OK:
116: warningx(_("User ID locked for SecurID Authentication"));
1.1.1.2 ! misho 117: debug_return_int(AUTH_SUCCESS);
1.1 misho 118:
119: case ACE_UNDEFINED_USERNAME:
120: warningx(_("invalid username length for SecurID"));
1.1.1.2 ! misho 121: debug_return_int(AUTH_FATAL);
1.1 misho 122:
123: case ACE_ERR_INVALID_HANDLE:
124: warningx(_("invalid Authentication Handle for SecurID"));
1.1.1.2 ! misho 125: debug_return_int(AUTH_FATAL);
1.1 misho 126:
127: case ACM_ACCESS_DENIED:
128: warningx(_("SecurID communication failed"));
1.1.1.2 ! misho 129: debug_return_int(AUTH_FATAL);
1.1 misho 130:
131: default:
132: warningx(_("unknown SecurID error"));
1.1.1.2 ! misho 133: debug_return_int(AUTH_FATAL);
1.1 misho 134: }
135: }
136:
137: /*
138: * securid_verify - Authenticates user and handles ACE responses
139: *
140: * Arguments in:
141: * pw - struct passwd for username
142: * pass - UNUSED
143: * auth - sudo authentication structure for SecurID handle
144: *
145: * Results out:
146: * return code - Success on successful authentication, failure on
147: * incorrect authentication, fatal on errors
148: */
149: int
1.1.1.2 ! misho 150: sudo_securid_verify(struct passwd *pw, char *pass, sudo_auth *auth)
1.1 misho 151: {
152: SDI_HANDLE *sd = (SDI_HANDLE *) auth->data;
153: int rval;
1.1.1.2 ! misho 154: debug_decl(sudo_securid_verify, SUDO_DEBUG_AUTH)
1.1 misho 155:
156: pass = auth_getpass("Enter your PASSCODE: ",
157: def_passwd_timeout * 60, SUDO_CONV_PROMPT_ECHO_OFF);
158:
159: /* Have ACE verify password */
160: switch (SD_Check(*sd, pass, pw->pw_name)) {
161: case ACM_OK:
162: rval = AUTH_SUCESS;
163: break;
164:
165: case ACE_UNDEFINED_PASSCODE:
166: warningx(_("invalid passcode length for SecurID"));
167: rval = AUTH_FATAL;
168: break;
169:
170: case ACE_UNDEFINED_USERNAME:
171: warningx(_("invalid username length for SecurID"));
172: rval = AUTH_FATAL;
173: break;
174:
175: case ACE_ERR_INVALID_HANDLE:
176: warningx(_("invalid Authentication Handle for SecurID"));
177: rval = AUTH_FATAL;
178: break;
179:
180: case ACM_ACCESS_DENIED:
181: rval = AUTH_FAILURE;
182: break;
183:
184: case ACM_NEXT_CODE_REQUIRED:
185: /* Sometimes (when current token close to expire?)
186: ACE challenges for the next token displayed
187: (entered without the PIN) */
188: pass = auth_getpass("\
189: !!! ATTENTION !!!\n\
190: Wait for the token code to change, \n\
191: then enter the new token code.\n", \
192: def_passwd_timeout * 60, SUDO_CONV_PROMPT_ECHO_OFF);
193:
194: if (SD_Next(*sd, pass) == ACM_OK) {
195: rval = AUTH_SUCCESS;
196: break;
197: }
198:
199: rval = AUTH_FAILURE;
200: break;
201:
202: case ACM_NEW_PIN_REQUIRED:
203: /*
204: * This user's SecurID has not been activated yet,
205: * or the pin has been reset
206: */
207: /* XXX - Is setting up a new PIN within sudo's scope? */
208: SD_Pin(*sd, "");
209: fprintf(stderr, "Your SecurID access has not yet been set up.\n");
210: fprintf(stderr, "Please set up a PIN before you try to authenticate.\n");
211: rval = AUTH_FATAL;
212: break;
213:
214: default:
215: warningx(_("unknown SecurID error"));
216: rval = AUTH_FATAL;
217: break;
218: }
219:
220: /* Free resources */
221: SD_Close(*sd);
222:
223: /* Return stored state to calling process */
1.1.1.2 ! misho 224: debug_return_int(rval);
1.1 misho 225: }
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>