diff options
| author | Todd C. Miller <millert@cvs.openbsd.org> | 2000-03-27 03:44:40 +0000 |
|---|---|---|
| committer | Todd C. Miller <millert@cvs.openbsd.org> | 2000-03-27 03:44:40 +0000 |
| commit | 2973d269b6b765ebf9da010880d8df7b232c2bfe (patch) | |
| tree | d906084a81de8e1143795dd439107c5fd984a071 /usr.bin/sudo/auth | |
| parent | 4108b06f79f213a1c3c81108f94c7ec4ee919043 (diff) | |
sudo 1.6.3; see http://www.courtesan.com/sudo/current.html for a list
of changes.
Diffstat (limited to 'usr.bin/sudo/auth')
| -rw-r--r-- | usr.bin/sudo/auth/aix_auth.c | 4 | ||||
| -rw-r--r-- | usr.bin/sudo/auth/fwtk.c | 7 | ||||
| -rw-r--r-- | usr.bin/sudo/auth/pam.c | 7 | ||||
| -rw-r--r-- | usr.bin/sudo/auth/passwd.c | 37 | ||||
| -rw-r--r-- | usr.bin/sudo/auth/sudo_auth.c | 7 |
5 files changed, 44 insertions, 18 deletions
diff --git a/usr.bin/sudo/auth/aix_auth.c b/usr.bin/sudo/auth/aix_auth.c index 670c0fb6a7c..3748d4dd869 100644 --- a/usr.bin/sudo/auth/aix_auth.c +++ b/usr.bin/sudo/auth/aix_auth.c @@ -55,7 +55,7 @@ #include "sudo_auth.h" #ifndef lint -static const char rcsid[] = "$Sudo: aix_auth.c,v 1.7 1999/10/07 21:21:07 millert Exp $"; +static const char rcsid[] = "$Sudo: aix_auth.c,v 1.8 2000/02/27 03:49:05 millert Exp $"; #endif /* lint */ int @@ -67,7 +67,7 @@ aixauth_verify(pw, prompt, auth) char *message, *pass; int reenter = 1; - pass = tgetpass(prompt, def_ival(I_PW_TIMEOUT) * 60, 1); + pass = tgetpass(prompt, def_ival(I_PW_TIMEOUT) * 60, tgetpass_flags); if (authenticate(pw->pw_name, pass, &reenter, &message) == 0) return(AUTH_SUCCESS); else diff --git a/usr.bin/sudo/auth/fwtk.c b/usr.bin/sudo/auth/fwtk.c index 448faf87f97..dbbb9275b4c 100644 --- a/usr.bin/sudo/auth/fwtk.c +++ b/usr.bin/sudo/auth/fwtk.c @@ -58,7 +58,7 @@ #include "sudo_auth.h" #ifndef lint -static const char rcsid[] = "$Sudo: fwtk.c,v 1.9 1999/10/12 00:53:41 millert Exp $"; +static const char rcsid[] = "$Sudo: fwtk.c,v 1.10 2000/02/27 03:49:06 millert Exp $"; #endif /* lint */ int @@ -118,9 +118,10 @@ fwtk_verify(pw, prompt, auth) /* Get the password/response from the user. */ if (strncmp(resp, "challenge ", 10) == 0) { (void) snprintf(buf, sizeof(buf), "%s\nResponse: ", &resp[10]); - pass = tgetpass(buf, def_ival(I_PW_TIMEOUT) * 60, 0); + pass = tgetpass(buf, def_ival(I_PW_TIMEOUT) * 60, + tgetpass_flags | TGP_ECHO); } else if (strncmp(resp, "password", 8) == 0) { - pass = tgetpass(prompt, def_ival(I_PW_TIMEOUT) * 60, 1); + pass = tgetpass(prompt, def_ival(I_PW_TIMEOUT) * 60, tgetpass_flags); } else { (void) fprintf(stderr, "%s: %s\n", Argv[0], resp); return(AUTH_FATAL); diff --git a/usr.bin/sudo/auth/pam.c b/usr.bin/sudo/auth/pam.c index 12dad345726..169602dda74 100644 --- a/usr.bin/sudo/auth/pam.c +++ b/usr.bin/sudo/auth/pam.c @@ -57,7 +57,7 @@ #include "sudo_auth.h" #ifndef lint -static const char rcsid[] = "$Sudo: pam.c,v 1.14 2000/01/24 03:23:40 millert Exp $"; +static const char rcsid[] = "$Sudo: pam.c,v 1.15 2000/02/27 03:49:06 millert Exp $"; #endif /* lint */ static int sudo_conv __P((int, PAM_CONST struct pam_message **, @@ -135,7 +135,6 @@ sudo_conv(num_msg, msg, response, appdata_ptr) struct pam_response *pr; PAM_CONST struct pam_message *pm; const char *p = def_prompt; - int echo = 0; extern int nil_pw; if ((*response = malloc(num_msg * sizeof(struct pam_response))) == NULL) @@ -145,7 +144,7 @@ sudo_conv(num_msg, msg, response, appdata_ptr) for (pr = *response, pm = *msg; num_msg--; pr++, pm++) { switch (pm->msg_style) { case PAM_PROMPT_ECHO_ON: - echo = 1; + tgetpass_flags |= TGP_ECHO; case PAM_PROMPT_ECHO_OFF: /* Only override PAM prompt if it matches /^Password: ?/ */ if (strncmp(pm->msg, "Password:", 9) || (pm->msg[9] != '\0' @@ -153,7 +152,7 @@ sudo_conv(num_msg, msg, response, appdata_ptr) p = pm->msg; /* Read the password. */ pr->resp = estrdup((char *) tgetpass(p, - def_ival(I_PW_TIMEOUT) * 60, !echo)); + def_ival(I_PW_TIMEOUT) * 60, tgetpass_flags)); if (*pr->resp == '\0') nil_pw = 1; /* empty password */ break; diff --git a/usr.bin/sudo/auth/passwd.c b/usr.bin/sudo/auth/passwd.c index 62f3a126584..9ec631dc4fd 100644 --- a/usr.bin/sudo/auth/passwd.c +++ b/usr.bin/sudo/auth/passwd.c @@ -55,25 +55,50 @@ #include "sudo_auth.h" #ifndef lint -static const char rcsid[] = "$Sudo: passwd.c,v 1.4 1999/08/14 15:36:46 millert Exp $"; +static const char rcsid[] = "$Sudo: passwd.c,v 1.7 2000/03/23 00:27:41 millert Exp $"; #endif /* lint */ +#define DESLEN 13 +#define HAS_AGEINFO(p, l) (l == 18 && p[DESLEN] == ',') + int passwd_verify(pw, pass, auth) struct passwd *pw; char *pass; sudo_auth *auth; { + char sav, *epass; + size_t pw_len; + int error; + + pw_len = strlen(pw->pw_passwd); #ifdef HAVE_GETAUTHUID /* Ultrix shadow passwords may use crypt16() */ - if (!strcmp(pw->pw_passwd, (char *) crypt16(pass, pw->pw_passwd))) + error = strcmp(pw->pw_passwd, (char *) crypt16(pass, pw->pw_passwd)); + if (!error) return(AUTH_SUCCESS); #endif /* HAVE_GETAUTHUID */ - /* Normal UN*X password check */ - if (!strcmp(pw->pw_passwd, (char *) crypt(pass, pw->pw_passwd))) - return(AUTH_SUCCESS); + /* + * Truncate to 8 chars if standard DES since not all crypt()'s do this. + * If this turns out not to be safe we will have to use OS #ifdef's (sigh). + */ + sav = pass[8]; + if (pw_len == DESLEN || HAS_AGEINFO(pw->pw_passwd, pw_len)) + pass[8] = '\0'; + + /* + * Normal UN*X password check. + * HP-UX may add aging info (separated by a ',') at the end so + * only compare the first DESLEN characters in that case. + */ + epass = (char *) crypt(pass, pw->pw_passwd); + pass[8] = sav; + if (HAS_AGEINFO(pw->pw_passwd, pw_len) && strlen(epass) == DESLEN) + error = strncmp(pw->pw_passwd, epass, DESLEN); + else + error = strcmp(pw->pw_passwd, epass); - return(AUTH_FAILURE); + return(error ? AUTH_FAILURE : AUTH_SUCCESS); } diff --git a/usr.bin/sudo/auth/sudo_auth.c b/usr.bin/sudo/auth/sudo_auth.c index c9b65e257aa..cb847d452cb 100644 --- a/usr.bin/sudo/auth/sudo_auth.c +++ b/usr.bin/sudo/auth/sudo_auth.c @@ -57,7 +57,7 @@ #include "insults.h" #ifndef lint -static const char rcsid[] = "$Sudo: sudo_auth.c,v 1.17 1999/12/06 06:47:19 millert Exp $"; +static const char rcsid[] = "$Sudo: sudo_auth.c,v 1.19 2000/03/06 19:42:21 millert Exp $"; #endif /* lint */ sudo_auth auth_switch[] = { @@ -67,7 +67,7 @@ sudo_auth auth_switch[] = { # ifndef WITHOUT_PASSWD AUTH_ENTRY(0, "passwd", NULL, NULL, passwd_verify, NULL) # endif -# if defined(HAVE_SECUREWARE) && !defined(WITHOUT_PASSWD) +# if defined(HAVE_GETPRPWNAM) && !defined(WITHOUT_PASSWD) AUTH_ENTRY(0, "secureware", secureware_init, NULL, secureware_verify, NULL) # endif # ifdef HAVE_AFS @@ -155,7 +155,8 @@ verify_user(prompt) #ifdef AUTH_STANDALONE p = prompt; #else - p = (char *) tgetpass(prompt, def_ival(I_PW_TIMEOUT) * 60, 1); + p = (char *) tgetpass(prompt, def_ival(I_PW_TIMEOUT) * 60, + tgetpass_flags); if (!p || *p == '\0') nil_pw = 1; #endif /* AUTH_STANDALONE */ |