adapt to BSD authentication and clean things up a bit while I am at it

3 files changed, 92 insertions, 136 deletions

diff --git a/usr.bin/lock/Makefile b/usr.bin/lock/Makefile
index 4a9c68dce62..2c016206cbd 100644
--- a/usr.bin/lock/Makefile
+++ b/usr.bin/lock/Makefile
@@ -1,15 +1,8 @@
-#	$OpenBSD: Makefile,v 1.9 2000/09/03 18:41:17 espie Exp $
+#	$OpenBSD: Makefile,v 1.10 2001/05/29 21:38:14 millert Exp $
 
 PROG=	lock
 BINOWN= root
-BINMODE=4555
-
-.include <bsd.own.mk>
-
-.if (${SKEY:L} == "yes")
-CFLAGS+=-DSKEY
-LDADD+= -lskey
-DPADD+= ${LIBSKEY}
-.endif
+BINGRP= auth
+BINMODE=2555
 
 .include <bsd.prog.mk>
diff --git a/usr.bin/lock/lock.1 b/usr.bin/lock/lock.1
index 69d60e0c114..932a9475743 100644
--- a/usr.bin/lock/lock.1
+++ b/usr.bin/lock/lock.1
@@ -1,5 +1,4 @@
-.\"	$OpenBSD: lock.1,v 1.10 2000/11/09 17:52:19 aaron Exp $
-.\"	$NetBSD: lock.1,v 1.4 1994/12/22 01:16:21 jtc Exp $
+.\"	$OpenBSD: lock.1,v 1.11 2001/05/29 21:38:15 millert Exp $
 .\"
 .\" Copyright (c) 1987, 1990, 1993
 .\"	The Regents of the University of California.  All rights reserved.
@@ -44,6 +43,7 @@
 .Nm lock
 .Op Fl n
 .Op Fl p
+.Op Fl a Ar style
 .Op Fl t Ar timeout
 .Sh DESCRIPTION
 .Nm
@@ -62,8 +62,7 @@ Terminal will be locked forever.
 .It Fl p
 A password is not requested, instead the user's current login password
 is used.
-If the user has an S/Key key, they may also use it
-to unlock the terminal.
+If the user has an S/Key key, they may also use it to unlock the terminal.
 To do this the user should enter
 .Qq s/key
 at the unlock
@@ -72,13 +71,26 @@ prompt.
 The user will then be issued an S/Key
 challenge to which they may respond with a six-word S/Key one-time
 password.
+.It Fl a Ar style
+The specified BSD Authentication login
+.Ar style
+(as specified in
+.Pa /etc/login.conf )
+will be used to authenticate the user.  If the particular
+.Ar style
+requires a challenge/response handshake or a special prompt, the
+user may enter the name of the
+.Ar style
+to get the standard prompt for that
+.Ar style .
 .It Fl t Ar timeout
 The time limit (default 15 minutes) is changed to
 .Ar timeout
 minutes.
 .El
 .Sh SEE ALSO
-.Xr skey 1
+.Xr skey 1 ,
+.Xr login.conf 5
 .Sh HISTORY
 The
 .Nm
diff --git a/usr.bin/lock/lock.c b/usr.bin/lock/lock.c
index 3c388f9f48b..dcd017f9dd5 100644
--- a/usr.bin/lock/lock.c
+++ b/usr.bin/lock/lock.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: lock.c,v 1.12 1999/03/06 20:27:40 millert Exp $	*/
+/*	$OpenBSD: lock.c,v 1.13 2001/05/29 21:38:15 millert Exp $	*/
 /*	$NetBSD: lock.c,v 1.8 1996/05/07 18:32:31 jtc Exp $	*/
 
 /*
@@ -47,7 +47,7 @@ static char copyright[] =
 #if 0
 static char sccsid[] = "@(#)lock.c	8.1 (Berkeley) 6/6/93";
 #endif
-static char rcsid[] = "$OpenBSD: lock.c,v 1.12 1999/03/06 20:27:40 millert Exp $";
+static char rcsid[] = "$OpenBSD: lock.c,v 1.13 2001/05/29 21:38:15 millert Exp $";
 #endif /* not lint */
 
 /*
@@ -66,29 +66,28 @@ static char rcsid[] = "$OpenBSD: lock.c,v 1.12 1999/03/06 20:27:40 millert Exp $
 #include <ctype.h>
 #include <err.h>
 #include <pwd.h>
+#include <readpassphrase.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 #include <termios.h>
 #include <unistd.h>
 
-#ifdef SKEY
-#include <skey.h>
-#endif
+#include <login_cap.h>
+#include <bsd_auth.h>
 
 #define	TIMEOUT	15
 
 void bye	__P((int));
 void hi		__P((int));
-void quit	__P((int));
-int skey_auth	__P((char *));
 
 struct timeval	timeout;
 struct timeval	zerotime;
-struct termios	tty, ntty;
-long	nexttime;			/* keep the timeout time */
+time_t	nexttime;			/* keep the timeout time */
 int	no_timeout;			/* lock terminal forever */
 
+extern	char *__progname;
+
 /*ARGSUSED*/
 int
 main(argc, argv)
@@ -96,31 +95,42 @@ main(argc, argv)
 	char **argv;
 {
 	struct passwd *pw;
-	struct timeval timval;
 	struct itimerval ntimer, otimer;
 	struct tm *timp;
 	time_t curtime;
 	int ch, sectimeout, usemine;
-	char *ap, *mypw, *ttynam, *tzn;
-	char hostname[MAXHOSTNAMELEN], s[BUFSIZ], s1[BUFSIZ];
+	char *p, *style, *nstyle, *ttynam;
+	char hostname[MAXHOSTNAMELEN], s[BUFSIZ], s1[BUFSIZ], date[256];
+	login_cap_t *lc;
 
 	sectimeout = TIMEOUT;
-	mypw = NULL;
+	style = NULL;
 	usemine = 0;
 	no_timeout = 0;
 
 	if (!(pw = getpwuid(getuid())))
 		errx(1, "unknown uid %d.", getuid());
+
+	lc = login_getclass(pw->pw_class);
 	
-	while ((ch = getopt(argc, argv, "npt:")) != -1)
-		switch((char)ch) {
+	while ((ch = getopt(argc, argv, "a:npt:")) != -1)
+		switch(ch) {
+		case 'a':
+			if (lc) {
+				style = login_getstyle(lc, optarg, "auth-lock");
+				if (style == NULL)
+					errx(1,
+					    "invalid authentication style: %s",
+					    optarg);
+			}
+			usemine = 1;
+			break;
 		case 't':
 			if ((sectimeout = atoi(optarg)) <= 0)
 				errx(1, "illegal timeout value: %s", optarg);
 			break;
 		case 'p':
 			usemine = 1;
-			mypw = strdup(pw->pw_passwd);
 			break;
 		case 'n':
 			no_timeout = 1;
@@ -128,50 +138,35 @@ main(argc, argv)
 		case '?':
 		default:
 			(void)fprintf(stderr,
-			    "usage: lock [-n] [-p] [-t timeout]\n");
+			    "usage: %s [-n] [-p] [-a style] [-t timeout]\n",
+			    __progname);
 			exit(1);
 	}
 	timeout.tv_sec = sectimeout * 60;
 
-	seteuid(getuid());		/* discard what privs we can */
-
-	if (tcgetattr(0, &tty) < 0)	/* get information for header */
-		exit(1);
 	gethostname(hostname, sizeof(hostname));
-	if (!(ttynam = ttyname(0)))
+	if (!(ttynam = ttyname(STDIN_FILENO)))
 		errx(1, "not a terminal?");
-	if (gettimeofday(&timval, (struct timezone *)NULL))
-		err(1, "gettimeofday");
-	curtime = timval.tv_sec;
-	nexttime = timval.tv_sec + (sectimeout * 60);
+	curtime = time(NULL);
+	nexttime = curtime + (sectimeout * 60);
 	timp = localtime(&curtime);
-	ap = asctime(timp);
-	tzn = timp->tm_zone;
+	strftime(date, sizeof(date), "%c", timp);
 
-	(void)signal(SIGINT, quit);
-	(void)signal(SIGQUIT, quit);
-	ntty = tty; ntty.c_lflag &= ~ECHO;
-	(void)tcsetattr(0, TCSADRAIN, &ntty);
-
-	if (!mypw) {
+	if (!usemine) {
 		/* get key and check again */
-		(void)fputs("Key: ", stdout);
-		if (!fgets(s, sizeof(s), stdin) || *s == '\n')
-			quit(0);
-		(void)fputs("\nAgain: ", stdout);
+		if (!readpassphrase("Key: ", s, sizeof(s), RPP_ECHO_OFF) ||
+		    *s == '\0')
+			exit(0);
 		/*
 		 * Don't need EOF test here, if we get EOF, then s1 != s
 		 * and the right things will happen.
 		 */
-		(void)fgets(s1, sizeof(s1), stdin);
-		(void)putchar('\n');
+		(void)readpassphrase("Again: ", s1, sizeof(s1), RPP_ECHO_OFF);
 		if (strcmp(s1, s)) {
-			(void)puts("\alock: passwords didn't match.");
-			(void)tcsetattr(0, TCSADRAIN, &tty);
+			warnx("\apasswords didn't match.");
 			exit(1);
 		}
 		s[0] = '\0';
-		mypw = s1;
 	}
 
 	/* set signal handlers */
@@ -187,108 +182,64 @@ main(argc, argv)
 
 	/* header info */
 	if (no_timeout) {
-		(void)printf("lock: %s on %s. no timeout\ntime now is %.20s%s%s",
-		    ttynam, hostname, ap, tzn, ap + 19);
+		(void)fprintf(stderr,
+		    "%s: %s on %s. no timeout\ntime now is %s\n",
+		    __progname, ttynam, hostname, date);
 	} else {
-		(void)printf("lock: %s on %s. timeout in %d minutes\ntime now is %.20s%s%s",
-		    ttynam, hostname, sectimeout, ap, tzn, ap + 19);
+		(void)fprintf(stderr,
+		    "%s: %s on %s. timeout in %d minutes\ntime now is %s\n",
+		    __progname, ttynam, hostname, sectimeout, date);
 	}
 
 	for (;;) {
-		(void)fputs("Key: ", stdout);
-		if (!fgets(s, sizeof(s), stdin)) {
-			clearerr(stdin);
+		if (!readpassphrase("Key: ", s, sizeof(s), RPP_ECHO_OFF) ||
+		    *s == '\0') {
 			hi(0);
 			continue;
 		}
 		if (usemine) {
-			s[strlen(s) - 1] = '\0';
-#ifdef SKEY
-			if (strcasecmp(s, "s/key") == 0) {
-				/* S/Key lookup needs to be done as root */
-				seteuid(0);
-				ch = skey_auth(pw->pw_name);
-				seteuid(getuid());
-				if (ch)
-					break;
-			}
-#endif
-			if (!strcmp(mypw, crypt(s, mypw)))
+			/*
+			 * If user entered 's/key' or the style specified via
+			 * the '-a' argument, auth_userokay() will prompt
+			 * for a new password.  Otherwise, use what we have.
+			 */
+			if ((strcmp(s, "s/key") == 0 &&
+			    (nstyle = login_getstyle(lc, "skey", "auth-lock")))
+			    || ((nstyle = style) && strcmp(s, nstyle) == 0))
+				p = NULL;
+			else
+				p = s;
+			if (auth_userokay(pw->pw_name, nstyle, "auth-lock", p))
 				break;
-		}
-		else if (!strcmp(s, s1))
+		} else if (strcmp(s, s1) == 0)
 			break;
-		(void)puts("\a");
-		if (tcsetattr(0, TCSADRAIN, &ntty) < 0)
-			exit(1);
+		(void)putc('\a', stderr);
 	}
 
-	quit(0);
-	exit(0);			/*NOTREACHED*/
-}
-
-#ifdef SKEY
-/*
- * We can't use libskey's skey_authenticate() since it
- * handles signals in a way that's inappropriate
- * for our needs. Instead we roll our own.
- */
-int
-skey_auth(user)
-	char *user;
-{
-	char s[256], *ask;
-	int ret = 0;
-
-	if (!skey_haskey(user) && (ask = skey_keyinfo(user))) {
-		(void)printf("\n%s\nResponse: ", ask);		
-		if (!fgets(s, sizeof(s), stdin) || *s == '\n')
-			clearerr(stdin);
-		else {
-			rip(s);
-			if (skey_passcheck(user, s) != -1)
-				ret = 1;
-		}
-	} else
-		(void)printf("Sorry, you have no s/key.\n");
-	return(ret);
+	exit(0);
 }
-#endif
 
 void
 hi(dummy)
 	int dummy;
 {
-	struct timeval timval;
+	time_t now;
 
-	if (!gettimeofday(&timval, (struct timezone *)NULL)) {
-		(void)printf("lock: type in the unlock key. ");
-		if (no_timeout) {
-			putchar('\n');
-		} else {
-			(void)printf("timeout in %ld:%ld minutes\n",
-			    (nexttime - timval.tv_sec) / 60,
-			    (nexttime - timval.tv_sec) % 60);
-		}
+	(void)fprintf(stderr, "%s: type in the unlock key.", __progname);
+	if (!no_timeout) {
+		now = time(NULL);
+		(void)fprintf(stderr, " timeout in %d:%d minutes",
+		    (nexttime - now) / 60,
+		    (nexttime - now) % 60);
 	}
-}
-
-void
-quit(dummy)
-	int dummy;
-{
-	putchar('\n');
-	(void)tcsetattr(0, TCSADRAIN, &tty);
-	exit(0);
+	putc('\n', stderr);
 }
 
 void
 bye(dummy)
 	int dummy;
 {
-	if (!no_timeout) {
-		(void)tcsetattr(0, TCSADRAIN, &tty);
-		(void)puts("lock: timeout");
-		exit(1);
-	}
+
+	if (!no_timeout)
+		errx(1, "timeout");
 }