src - OpenBSD base system

diff options


context:
space:
mode:

author	Todd C. Miller <millert@cvs.openbsd.org>	2007-07-26 16:10:17 +0000
committer	Todd C. Miller <millert@cvs.openbsd.org>	2007-07-26 16:10:17 +0000
commit	828fe35b0dee0a24eae19e816e9f6bc05c720bc0 (patch)
tree	2adb27efde016e50eadcf2e74892e19861268a25 /usr.bin/sudo/auth
parent	eb13f7f0aa17caa3bf79e5518751b3f095fb2445 (diff)

Update to sudo 1.6.9p1. Note that the environment handling in sudo

1.6.9 has changed relative to older versions. Sudo now starts commands with a minimal environment containing the variables in the env_keep and env_check lists. This behavior is configurable in the sudoers file. Please see the "SECURITY NOTES" section in the sudo manual.

Diffstat (limited to 'usr.bin/sudo/auth')

-rw-r--r--

usr.bin/sudo/auth/afs.c

-rw-r--r--

usr.bin/sudo/auth/aix_auth.c

-rw-r--r--

usr.bin/sudo/auth/bsdauth.c

-rw-r--r--

usr.bin/sudo/auth/dce.c

-rw-r--r--

usr.bin/sudo/auth/fwtk.c

-rw-r--r--

usr.bin/sudo/auth/kerb4.c

-rw-r--r--

usr.bin/sudo/auth/kerb5.c

-rw-r--r--

usr.bin/sudo/auth/pam.c

-rw-r--r--

usr.bin/sudo/auth/passwd.c

-rw-r--r--

usr.bin/sudo/auth/rfc1938.c

-rw-r--r--

usr.bin/sudo/auth/secureware.c

-rw-r--r--

usr.bin/sudo/auth/securid.c

-rw-r--r--

usr.bin/sudo/auth/securid5.c

-rw-r--r--

usr.bin/sudo/auth/sia.c

-rw-r--r--

usr.bin/sudo/auth/sudo_auth.c

-rw-r--r--

usr.bin/sudo/auth/sudo_auth.h

16 files changed, 153 insertions, 74 deletions

diff --git a/usr.bin/sudo/auth/afs.c b/usr.bin/sudo/auth/afs.c
index caf37e0389a..9118326b40c 100644
--- a/usr.bin/sudo/auth/afs.c
+++ b/usr.bin/sudo/auth/afs.c

@@ -1,5 +1,5 @@

* Permission to use, copy, modify, and distribute this software for any

* purpose with or without fee is hereby granted, provided that the above

@@ -18,7 +18,7 @@

* Materiel Command, USAF, under agreement number F39502-99-1-0512.

-#include "config.h"

+#include <config.h>

#include <sys/param.h>

#include <sys/types.h>

@@ -51,7 +51,7 @@

#include <afs/kautils.h>

#ifndef lint

-static const char rcsid[] = "$Sudo: afs.c,v 1.10 2004/02/13 21:36:47 millert Exp $";

+__unused static const char rcsid[] = "$Sudo: afs.c,v 1.10.2.2 2007/06/12 01:28:42 millert Exp $";

#endif /* lint */

int

diff --git a/usr.bin/sudo/auth/aix_auth.c b/usr.bin/sudo/auth/aix_auth.c
index 7e5a6aa8de7..168f358740e 100644
--- a/usr.bin/sudo/auth/aix_auth.c
+++ b/usr.bin/sudo/auth/aix_auth.c

@@ -1,5 +1,5 @@

* Permission to use, copy, modify, and distribute this software for any

* purpose with or without fee is hereby granted, provided that the above

@@ -18,7 +18,7 @@

* Materiel Command, USAF, under agreement number F39502-99-1-0512.

-#include "config.h"

+#include <config.h>

#include <sys/types.h>

#include <sys/param.h>

@@ -47,9 +47,13 @@

#include "sudo_auth.h"

#ifndef lint

-static const char rcsid[] = "$Sudo: aix_auth.c,v 1.18 2004/02/13 21:36:47 millert Exp $";

+__unused static const char rcsid[] = "$Sudo: aix_auth.c,v 1.18.2.3 2007/06/21 22:29:15 millert Exp $";

#endif /* lint */

+/*

+ * For a description of the AIX authentication API, see

+ * http://publib16.boulder.ibm.com/doc_link/en_US/a_doc_lib/libs/basetrf1/authenticate.htm

+ */

int

aixauth_verify(pw, prompt, auth)

struct passwd *pw;

@@ -57,14 +61,16 @@ aixauth_verify(pw, prompt, auth)

sudo_auth *auth;

{

char *pass;

- char *message;

+ char *message = NULL;

int reenter = 1;

int rval = AUTH_FAILURE;

pass = tgetpass(prompt, def_passwd_timeout * 60, tgetpass_flags);

if (pass) {

- if (authenticate(pw->pw_name, (char *)pass, &reenter, &message) == 0)

+ /* XXX - should probably print message on failure. */

+ if (authenticate(pw->pw_name, pass, &reenter, &message) == 0)

rval = AUTH_SUCCESS;

+ free(message);

zero_bytes(pass, strlen(pass));

}

return(rval);

diff --git a/usr.bin/sudo/auth/bsdauth.c b/usr.bin/sudo/auth/bsdauth.c
index 2c057de75d5..a881bf93795 100644
--- a/usr.bin/sudo/auth/bsdauth.c
+++ b/usr.bin/sudo/auth/bsdauth.c

@@ -1,5 +1,5 @@

* Permission to use, copy, modify, and distribute this software for any

* purpose with or without fee is hereby granted, provided that the above

@@ -18,7 +18,7 @@

* Materiel Command, USAF, under agreement number F39502-99-1-0512.

-#include "config.h"

+#include <config.h>

#include <sys/types.h>

#include <sys/param.h>

@@ -52,7 +52,7 @@

#include "sudo_auth.h"

#ifndef lint

-static const char rcsid[] = "$Sudo: bsdauth.c,v 1.16 2004/06/07 00:02:56 millert Exp $";

+__unused static const char rcsid[] = "$Sudo: bsdauth.c,v 1.16.2.2 2007/06/12 01:28:42 millert Exp $";

#endif /* lint */

extern char *login_style; /* from sudo.c */

diff --git a/usr.bin/sudo/auth/dce.c b/usr.bin/sudo/auth/dce.c
index 5f8a25c0798..a27303b0a9d 100644
--- a/usr.bin/sudo/auth/dce.c
+++ b/usr.bin/sudo/auth/dce.c

@@ -1,6 +1,5 @@

- * Todd C. Miller <Todd.Miller@courtesan.com>.

* Permission to use, copy, modify, and distribute this software for any

* purpose with or without fee is hereby granted, provided that the above

@@ -33,7 +32,7 @@

* DCE 1.1).

-#include "config.h"

+#include <config.h>

#include <sys/types.h>

#include <sys/param.h>

@@ -66,7 +65,7 @@

#include "sudo_auth.h"

#ifndef lint

-static const char rcsid[] = "$Sudo: dce.c,v 1.11 2004/02/13 21:36:47 millert Exp $";

+__unused static const char rcsid[] = "$Sudo: dce.c,v 1.11.2.2 2007/06/12 01:28:42 millert Exp $";

#endif /* lint */

static int check_dce_status __P((error_status_t, char *));

diff --git a/usr.bin/sudo/auth/fwtk.c b/usr.bin/sudo/auth/fwtk.c
index 665f3b2d9ca..4e365fc6456 100644
--- a/usr.bin/sudo/auth/fwtk.c
+++ b/usr.bin/sudo/auth/fwtk.c

@@ -1,5 +1,5 @@

* Permission to use, copy, modify, and distribute this software for any

* purpose with or without fee is hereby granted, provided that the above

@@ -18,7 +18,7 @@

* Materiel Command, USAF, under agreement number F39502-99-1-0512.

-#include "config.h"

+#include <config.h>

#include <sys/types.h>

#include <sys/param.h>

@@ -55,7 +55,7 @@

#include "sudo_auth.h"

#ifndef lint

-static const char rcsid[] = "$Sudo: fwtk.c,v 1.23 2004/02/13 21:36:47 millert Exp $";

+__unused static const char rcsid[] = "$Sudo: fwtk.c,v 1.23.2.2 2007/06/12 01:28:42 millert Exp $";

#endif /* lint */

int

diff --git a/usr.bin/sudo/auth/kerb4.c b/usr.bin/sudo/auth/kerb4.c
index 4aa81bd7d42..60d22ca3cae 100644
--- a/usr.bin/sudo/auth/kerb4.c
+++ b/usr.bin/sudo/auth/kerb4.c

@@ -1,5 +1,5 @@

* Permission to use, copy, modify, and distribute this software for any

* purpose with or without fee is hereby granted, provided that the above

@@ -18,7 +18,7 @@

* Materiel Command, USAF, under agreement number F39502-99-1-0512.

-#include "config.h"

+#include <config.h>

#include <sys/types.h>

#include <sys/param.h>

@@ -48,7 +48,7 @@

#include "sudo_auth.h"

#ifndef lint

-static const char rcsid[] = "$Sudo: kerb4.c,v 1.11 2004/02/13 21:36:47 millert Exp $";

+__unused static const char rcsid[] = "$Sudo: kerb4.c,v 1.11.2.2 2007/06/12 01:28:42 millert Exp $";

#endif /* lint */

int

diff --git a/usr.bin/sudo/auth/kerb5.c b/usr.bin/sudo/auth/kerb5.c
index 07022c50f98..57f183e4e54 100644
--- a/usr.bin/sudo/auth/kerb5.c
+++ b/usr.bin/sudo/auth/kerb5.c

@@ -1,5 +1,5 @@

* Permission to use, copy, modify, and distribute this software for any

* purpose with or without fee is hereby granted, provided that the above

@@ -21,7 +21,7 @@

* Materiel Command, USAF, under agreement number F39502-99-1-0512.

-#include "config.h"

+#include <config.h>

#include <sys/types.h>

#include <sys/param.h>

@@ -46,23 +46,27 @@

#endif /* HAVE_UNISTD_H */

#include <pwd.h>

#include <krb5.h>

+#ifdef HAVE_HEIMDAL

+#include <com_err.h>

+#endif

#include "sudo.h"

#include "sudo_auth.h"

#ifndef lint

-static const char rcsid[] = "$Sudo: kerb5.c,v 1.23 2004/06/07 00:02:56 millert Exp $";

+__unused static const char rcsid[] = "$Sudo: kerb5.c,v 1.23.2.4 2007/06/12 01:28:42 millert Exp $";

#endif /* lint */

#ifdef HAVE_HEIMDAL

# define extract_name(c, p) krb5_principal_get_comp_string(c, p, 1)

# define krb5_free_data_contents(c, d) krb5_data_free(d)

-# define ENCTYPE_DES_CBC_MD5 ETYPE_DES_CBC_MD5 /* XXX */

#else

# define extract_name(c, p) (krb5_princ_component(c, p, 1)->data)

#endif

+#ifndef HAVE_KRB5_VERIFY_USER

static int verify_krb_v5_tgt __P((krb5_context, krb5_ccache, char *));

+#endif

static struct _sudo_krb5_data {

krb5_context sudo_context;

krb5_principal princ;

@@ -87,7 +91,12 @@ kerb5_init(pw, promptp, auth)

auth->data = (VOID *) &sudo_krb5_data; /* Stash all our data here */

- if ((error = krb5_init_context(&(sudo_krb5_data.sudo_context))))

+#ifdef HAVE_KRB5_INIT_SECURE_CONTEXT

+ error = krb5_init_secure_context(&(sudo_krb5_data.sudo_context));

+#else

+ error = krb5_init_context(&(sudo_krb5_data.sudo_context));

+#endif

+ if (error)

return(AUTH_FAILURE);

sudo_context = sudo_krb5_data.sudo_context;

@@ -150,6 +159,26 @@ kerb5_init(pw, promptp, auth)

return(AUTH_SUCCESS);

}

+#ifdef HAVE_KRB5_VERIFY_USER

+int

+kerb5_verify(pw, pass, auth)

+ struct passwd *pw;

+ char *pass;

+ sudo_auth *auth;

+ krb5_context sudo_context;

+ krb5_principal princ;

+ krb5_ccache ccache;

+ krb5_error_code error;

+ sudo_context = ((sudo_krb5_datap) auth->data)->sudo_context;

+ princ = ((sudo_krb5_datap) auth->data)->princ;

+ ccache = ((sudo_krb5_datap) auth->data)->ccache;

+ error = krb5_verify_user(sudo_context, princ, ccache, pass, 1, NULL);

+ return (error ? AUTH_FAILURE : AUTH_SUCCESS);

+#else

int

kerb5_verify(pw, pass, auth)

struct passwd *pw;

@@ -195,6 +224,7 @@ kerb5_verify(pw, pass, auth)

krb5_free_cred_contents(sudo_context, &creds);

return (error ? AUTH_FAILURE : AUTH_SUCCESS);

}

+#endif

int

kerb5_cleanup(pw, auth)

@@ -220,6 +250,7 @@ kerb5_cleanup(pw, auth)

return(AUTH_SUCCESS);

}

+#ifndef HAVE_KRB5_VERIFY_USER

* This routine with some modification is from the MIT V5B6 appl/bsd/login.c

@@ -269,12 +300,11 @@ verify_krb_v5_tgt(sudo_context, ccache, auth_name)

* and enctype is currently ignored anyhow.)

if ((error = krb5_kt_read_service_key(sudo_context, NULL, princ, 0,

- ENCTYPE_DES_CBC_MD5, &keyblock))) {

+ 0, &keyblock))) {

/* Keytab or service key does not exist. */

log_error(NO_EXIT,

"%s: host service key not found: %s", auth_name,

error_message(error));

- error = 0;

goto cleanup;

}

if (keyblock)

@@ -303,3 +333,4 @@ cleanup:

error_message(error));

return(error);

}

+#endif

diff --git a/usr.bin/sudo/auth/pam.c b/usr.bin/sudo/auth/pam.c
index d289a06ef5c..f4693f08e08 100644
--- a/usr.bin/sudo/auth/pam.c
+++ b/usr.bin/sudo/auth/pam.c

@@ -1,5 +1,5 @@

* Permission to use, copy, modify, and distribute this software for any

* purpose with or without fee is hereby granted, provided that the above

@@ -18,7 +18,7 @@

* Materiel Command, USAF, under agreement number F39502-99-1-0512.

-#include "config.h"

+#include <config.h>

#include <sys/types.h>

#include <sys/param.h>

@@ -56,14 +56,14 @@

#include "sudo_auth.h"

/* Only OpenPAM and Linux PAM use const qualifiers. */

-#if defined(_OPENPAM) || defined(__LIBPAM_VERSION)

+#if defined(_OPENPAM) || defined(__LIBPAM_VERSION) || defined(__LINUX_PAM__)

# define PAM_CONST const

#else

# define PAM_CONST

#endif

#ifndef lint

-static const char rcsid[] = "$Sudo: pam.c,v 1.43 2004/06/28 14:51:50 millert Exp $";

+__unused static const char rcsid[] = "$Sudo: pam.c,v 1.43.2.4 2007/07/22 12:14:53 millert Exp $";

#endif /* lint */

static int sudo_conv __P((int, PAM_CONST struct pam_message **,

@@ -94,7 +94,14 @@ pam_init(pw, promptp, auth)

log_error(USE_ERRNO|NO_EXIT|NO_MAIL, "unable to initialize PAM");

return(AUTH_FATAL);

}

- if (strcmp(user_tty, "unknown"))

+ /*

+ * Some versions of pam_lastlog have a bug that

+ * will cause a crash if PAM_TTY is not set so if

+ * there is no tty, set PAM_TTY to the empty string.

+ */

+ if (strcmp(user_tty, "unknown") == 0)

+ (void) pam_set_item(pamh, PAM_TTY, "");

+ else

(void) pam_set_item(pamh, PAM_TTY, user_tty);

return(AUTH_SUCCESS);

@@ -175,6 +182,8 @@ int

pam_prep_user(pw)

struct passwd *pw;

{

+ int eval;

if (pamh == NULL)

pam_init(pw, NULL, NULL);

@@ -195,6 +204,18 @@ pam_prep_user(pw)

(void) pam_setcred(pamh, PAM_ESTABLISH_CRED);

+ /*

+ * To fully utilize PAM sessions we would need to keep a

+ * sudo process around until the command exits. However, we

+ * can at least cause pam_limits to be run by opening and then

+ * immediately closing the session.

+ */

+ if ((eval = pam_open_session(pamh, 0)) != PAM_SUCCESS) {

+ (void) pam_end(pamh, eval | PAM_DATA_SILENT);

+ return(AUTH_FAILURE);

+ }

+ (void) pam_close_session(pamh, 0);

if (pam_end(pamh, PAM_SUCCESS | PAM_DATA_SILENT) == PAM_SUCCESS)

return(AUTH_SUCCESS);

else

@@ -235,7 +256,12 @@ sudo_conv(num_msg, msg, response, appdata_ptr)

p = pm->msg;

/* Read the password. */

pass = tgetpass(p, def_passwd_timeout * 60, flags);

- pr->resp = estrdup(pass ? pass : "");

+ if (pass == NULL) {

+ /* We got ^C instead of a password; abort quickly. */

+ nil_pw = 1;

+ goto err;

+ }

+ pr->resp = estrdup(pass);

if (*pr->resp == '\0')

nil_pw = 1; /* empty password */

else

@@ -252,20 +278,23 @@ sudo_conv(num_msg, msg, response, appdata_ptr)

}

break;

default:

- /* Zero and free allocated memory and return an error. */

- for (pr = *response, n = num_msg; n--; pr++) {

- if (pr->resp != NULL) {

- zero_bytes(pr->resp, strlen(pr->resp));

- free(pr->resp);

- pr->resp = NULL;

- }

- zero_bytes(*response, num_msg * sizeof(struct pam_response));

- free(*response);

- *response = NULL;

- return(PAM_CONV_ERR);

+ goto err;

}

return(PAM_SUCCESS);

+err:

+ /* Zero and free allocated memory and return an error. */

+ for (pr = *response, n = num_msg; n--; pr++) {

+ if (pr->resp != NULL) {

+ zero_bytes(pr->resp, strlen(pr->resp));

+ free(pr->resp);

+ pr->resp = NULL;

+ }

+ zero_bytes(*response, num_msg * sizeof(struct pam_response));

+ free(*response);

+ *response = NULL;

+ return(PAM_CONV_ERR);

}

diff --git a/usr.bin/sudo/auth/passwd.c b/usr.bin/sudo/auth/passwd.c
index cb08dd55640..ffd12e33ed1 100644
--- a/usr.bin/sudo/auth/passwd.c
+++ b/usr.bin/sudo/auth/passwd.c

@@ -1,5 +1,5 @@

* Permission to use, copy, modify, and distribute this software for any

* purpose with or without fee is hereby granted, provided that the above

@@ -18,7 +18,7 @@

* Materiel Command, USAF, under agreement number F39502-99-1-0512.

-#include "config.h"

+#include <config.h>

#include <sys/types.h>

#include <sys/param.h>

@@ -47,7 +47,7 @@

#include "sudo_auth.h"

#ifndef lint

-static const char rcsid[] = "$Sudo: passwd.c,v 1.14 2004/02/13 21:36:47 millert Exp $";

+__unused static const char rcsid[] = "$Sudo: passwd.c,v 1.14.2.2 2007/06/12 01:28:42 millert Exp $";

#endif /* lint */

#define DESLEN 13

diff --git a/usr.bin/sudo/auth/rfc1938.c b/usr.bin/sudo/auth/rfc1938.c
index 78ec7235f92..079985bbeb5 100644
--- a/usr.bin/sudo/auth/rfc1938.c
+++ b/usr.bin/sudo/auth/rfc1938.c

@@ -1,6 +1,6 @@

- * Todd C. Miller <Todd.Miller@courtesan.com>.

+ * Todd C. Miller <Todd.Miller@courtesan.com>

* Permission to use, copy, modify, and distribute this software for any

* purpose with or without fee is hereby granted, provided that the above

@@ -19,7 +19,7 @@

* Materiel Command, USAF, under agreement number F39502-99-1-0512.

-#include "config.h"

+#include <config.h>

#include <sys/types.h>

#include <sys/param.h>

@@ -69,7 +69,7 @@

#include "sudo_auth.h"

#ifndef lint

-static const char rcsid[] = "$Sudo: rfc1938.c,v 1.16 2004/02/13 21:36:47 millert Exp $";

+__unused static const char rcsid[] = "$Sudo: rfc1938.c,v 1.16.2.2 2007/06/12 01:28:42 millert Exp $";

#endif /* lint */

int

diff --git a/usr.bin/sudo/auth/secureware.c b/usr.bin/sudo/auth/secureware.c
index af2a178d26a..435957d5321 100644
--- a/usr.bin/sudo/auth/secureware.c
+++ b/usr.bin/sudo/auth/secureware.c

@@ -1,5 +1,5 @@

* Permission to use, copy, modify, and distribute this software for any

* purpose with or without fee is hereby granted, provided that the above

@@ -18,7 +18,7 @@

* Materiel Command, USAF, under agreement number F39502-99-1-0512.

-#include "config.h"

+#include <config.h>

#include <sys/types.h>

#include <sys/param.h>

@@ -54,7 +54,7 @@

#include "sudo_auth.h"

#ifndef lint

-static const char rcsid[] = "$Sudo: secureware.c,v 1.10 2004/02/13 21:36:47 millert Exp $";

+__unused static const char rcsid[] = "$Sudo: secureware.c,v 1.10.2.2 2007/06/12 01:28:42 millert Exp $";

#endif /* lint */

int

diff --git a/usr.bin/sudo/auth/securid.c b/usr.bin/sudo/auth/securid.c
index db868d32833..b16d44fa868 100644
--- a/usr.bin/sudo/auth/securid.c
+++ b/usr.bin/sudo/auth/securid.c

@@ -1,5 +1,5 @@

* Permission to use, copy, modify, and distribute this software for any

* purpose with or without fee is hereby granted, provided that the above

@@ -21,7 +21,7 @@

* Materiel Command, USAF, under agreement number F39502-99-1-0512.

-#include "config.h"

+#include <config.h>

#include <sys/types.h>

#include <sys/param.h>

@@ -59,7 +59,7 @@

#include "sudo_auth.h"

#ifndef lint

-static const char rcsid[] = "$Sudo: securid.c,v 1.12 2004/02/13 21:36:47 millert Exp $";

+__unused static const char rcsid[] = "$Sudo: securid.c,v 1.12.2.2 2007/06/12 01:28:42 millert Exp $";

#endif /* lint */

union config_record configure;

diff --git a/usr.bin/sudo/auth/securid5.c b/usr.bin/sudo/auth/securid5.c
index 8953acf40b3..b6585c3f01b 100644
--- a/usr.bin/sudo/auth/securid5.c
+++ b/usr.bin/sudo/auth/securid5.c

@@ -1,5 +1,5 @@

* Permission to use, copy, modify, and distribute this software for any

@@ -22,7 +22,7 @@

* Materiel Command, USAF, under agreement number F39502-99-1-0512.

-#include "config.h"

+#include <config.h>

#include <sys/types.h>

#include <sys/param.h>

@@ -61,7 +61,7 @@

#include "sudo_auth.h"

#ifndef lint

-static const char rcsid[] = "$Sudo: securid5.c,v 1.6 2004/02/13 21:36:47 millert Exp $";

+__unused static const char rcsid[] = "$Sudo: securid5.c,v 1.6.2.2 2007/06/12 00:56:44 millert Exp $";

#endif /* lint */

@@ -126,6 +126,10 @@ securid_setup(pw, promptp, auth)

retval = SD_Lock(*sd, pw->pw_name);

switch (retval) {

+ case ACM_OK:

+ warnx("User ID locked for SecurID Authentication");

+ return(AUTH_SUCCESS);

case ACE_UNDEFINED_USERNAME:

warnx("invalid username length for SecurID");

return(AUTH_FATAL);

@@ -138,9 +142,9 @@ securid_setup(pw, promptp, auth)

warnx("SecurID communication failed");

return(AUTH_FATAL);

- case ACM_OK:

- warnx("User ID locked for SecurID Authentication");

- return(AUTH_SUCCESS);

+ default:

+ warnx("unknown SecurID error");

+ return(AUTH_FATAL);

}

@@ -170,6 +174,10 @@ securid_verify(pw, pass, auth)

/* Have ACE verify password */

switch (SD_Check(*sd, pass, pw->pw_name)) {

+ case ACM_OK:

+ rval = AUTH_SUCESS;

+ break;

case ACE_UNDEFINED_PASSCODE:

warnx("invalid passcode length for SecurID");

rval = AUTH_FATAL;

@@ -183,6 +191,7 @@ securid_verify(pw, pass, auth)

case ACE_ERR_INVALID_HANDLE:

warnx("invalid Authentication Handle for SecurID");

rval = AUTH_FATAL;

+ break;

case ACM_ACCESS_DENIED:

rval = AUTH_FAILURE;

@@ -217,6 +226,11 @@ then enter the new token code.\n", \

fprintf(stderr, "Please set up a PIN before you try to authenticate.\n");

rval = AUTH_FATAL;

break;

+ default:

+ warnx("unknown SecurID error");

+ rval = AUTH_FATAL;

+ break;

}

/* Free resources */

diff --git a/usr.bin/sudo/auth/sia.c b/usr.bin/sudo/auth/sia.c
index 2f6b3b584e7..d35a59d340c 100644
--- a/usr.bin/sudo/auth/sia.c
+++ b/usr.bin/sudo/auth/sia.c

@@ -1,5 +1,5 @@

* Permission to use, copy, modify, and distribute this software for any

* purpose with or without fee is hereby granted, provided that the above

@@ -20,7 +20,7 @@

* Materiel Command, USAF, under agreement number F39502-99-1-0512.

-#include "config.h"

+#include <config.h>

#include <sys/types.h>

#include <sys/param.h>

@@ -50,7 +50,7 @@

#include "sudo_auth.h"

#ifndef lint

-static const char rcsid[] = "$Sudo: sia.c,v 1.14 2004/02/13 21:36:47 millert Exp $";

+__unused static const char rcsid[] = "$Sudo: sia.c,v 1.14.2.2 2007/06/12 01:28:42 millert Exp $";

#endif /* lint */

static int sudo_collect __P((int, int, uchar_t *, int, prompt_t *));

diff --git a/usr.bin/sudo/auth/sudo_auth.c b/usr.bin/sudo/auth/sudo_auth.c
index 829304dff08..a3cb56b66d7 100644
--- a/usr.bin/sudo/auth/sudo_auth.c
+++ b/usr.bin/sudo/auth/sudo_auth.c

@@ -1,5 +1,5 @@

* Permission to use, copy, modify, and distribute this software for any

* purpose with or without fee is hereby granted, provided that the above

@@ -18,7 +18,7 @@

* Materiel Command, USAF, under agreement number F39502-99-1-0512.

-#include "config.h"

+#include <config.h>

#include <sys/types.h>

#include <sys/param.h>

@@ -53,7 +53,7 @@

#include "insults.h"

#ifndef lint

-static const char rcsid[] = "$Sudo: sudo_auth.c,v 1.33 2004/02/13 21:36:47 millert Exp $";

+__unused static const char rcsid[] = "$Sudo: sudo_auth.c,v 1.33.2.2 2007/06/12 01:28:42 millert Exp $";

#endif /* lint */

sudo_auth auth_switch[] = {

diff --git a/usr.bin/sudo/auth/sudo_auth.h b/usr.bin/sudo/auth/sudo_auth.h
index 15991f2a7c1..f3b224e161a 100644
--- a/usr.bin/sudo/auth/sudo_auth.h
+++ b/usr.bin/sudo/auth/sudo_auth.h

@@ -1,5 +1,5 @@

* Permission to use, copy, modify, and distribute this software for any

* purpose with or without fee is hereby granted, provided that the above

@@ -13,7 +13,7 @@

* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF

* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

- * $Sudo: sudo_auth.h,v 1.20 2004/02/13 21:36:47 millert Exp $

+ * $Sudo: sudo_auth.h,v 1.20.2.2 2007/06/12 01:28:42 millert Exp $

#ifndef SUDO_AUTH_H

@@ -96,7 +96,7 @@ int securid_verify __P((struct passwd *pw, char *pass, sudo_auth *auth));

# define AUTH_STANDALONE \

AUTH_ENTRY(0, "sia", \

NULL, sia_setup, sia_verify, sia_cleanup)

-#elif defined(HAVE_AUTHENTICATE)

+#elif defined(HAVE_AIXAUTH)

# define AUTH_STANDALONE \

AUTH_ENTRY(0, "aixauth", \

NULL, NULL, aixauth_verify, NULL)