diff options
author | Stuart Henderson <sthen@cvs.openbsd.org> | 2015-12-08 13:39:41 +0000 |
---|---|---|
committer | Stuart Henderson <sthen@cvs.openbsd.org> | 2015-12-08 13:39:41 +0000 |
commit | baa0b18a7d23360edfc8650690dcdc4e85223db4 (patch) | |
tree | 22e6453385106baeaf344013ed861da094f6f164 /usr.bin | |
parent | eaecc2fde09afceb2cf5deed54adc622ab96aaef (diff) |
Support -a <auth_style> in doas(1). Allows specifying a non-default auth
style, for example if you have "auth-doas=yubikey,passwd" in login.conf,
doas will usually want yubikey authentication, but will allow a fallback
of "doas -a passwd".
Avoids the need for sudo in a number of cases, at the expense of 5 added
lines of code (and one of those is only to avoid >80 columns).
Adapted from a diff by Renaud Allard, ok dlg@ tedu@
Diffstat (limited to 'usr.bin')
-rw-r--r-- | usr.bin/doas/doas.1 | 18 | ||||
-rw-r--r-- | usr.bin/doas/doas.c | 13 |
2 files changed, 25 insertions, 6 deletions
diff --git a/usr.bin/doas/doas.1 b/usr.bin/doas/doas.1 index fab1cbca451..e8f34f192f5 100644 --- a/usr.bin/doas/doas.1 +++ b/usr.bin/doas/doas.1 @@ -1,4 +1,4 @@ -.\" $OpenBSD: doas.1,v 1.14 2015/07/27 17:57:06 jmc Exp $ +.\" $OpenBSD: doas.1,v 1.15 2015/12/08 13:39:40 sthen Exp $ .\" .\"Copyright (c) 2015 Ted Unangst <tedu@openbsd.org> .\" @@ -13,7 +13,7 @@ .\"WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN .\"ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\"OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. -.Dd $Mdocdate: July 27 2015 $ +.Dd $Mdocdate: December 8 2015 $ .Dt DOAS 1 .Os .Sh NAME @@ -22,6 +22,7 @@ .Sh SYNOPSIS .Nm doas .Op Fl ns +.Op Fl a Ar style .Op Fl C Ar config .Op Fl u Ar user .Ar command @@ -40,6 +41,19 @@ is specified. .Pp The options are as follows: .Bl -tag -width tenletters +.It Fl a Ar style +The +.Fl a +(authentication style) option causes +.Nm +to use the specified authentication style when validating the user, +as allowed by +.Pa /etc/login.conf . +The system administrator may specify a list of doas-specific +authentication methods by adding an +.Sq auth-doas +entry in +.Pa /etc/login.conf . .It Fl C Ar config Parse and check the configuration file .Ar config , diff --git a/usr.bin/doas/doas.c b/usr.bin/doas/doas.c index 92633a063f1..da7f8ff4de7 100644 --- a/usr.bin/doas/doas.c +++ b/usr.bin/doas/doas.c @@ -1,4 +1,4 @@ -/* $OpenBSD: doas.c,v 1.46 2015/12/03 08:12:15 tedu Exp $ */ +/* $OpenBSD: doas.c,v 1.47 2015/12/08 13:39:40 sthen Exp $ */ /* * Copyright (c) 2015 Ted Unangst <tedu@openbsd.org> * @@ -37,7 +37,8 @@ static void __dead usage(void) { - fprintf(stderr, "usage: doas [-ns] [-C config] [-u user] command [args]\n"); + fprintf(stderr, "usage: doas [-ns] [-a style] [-C config] [-u user]" + " command [args]\n"); exit(1); } @@ -323,6 +324,7 @@ main(int argc, char **argv, char **envp) int nflag = 0; char cwdpath[PATH_MAX]; const char *cwd; + char *login_style = NULL; if (pledge("stdio rpath getpw tty proc exec id", NULL) == -1) err(1, "pledge"); @@ -331,8 +333,11 @@ main(int argc, char **argv, char **envp) uid = getuid(); - while ((ch = getopt(argc, argv, "C:nsu:")) != -1) { + while ((ch = getopt(argc, argv, "a:C:nsu:")) != -1) { switch (ch) { + case 'a': + login_style = optarg; + break; case 'C': confpath = optarg; break; @@ -412,7 +417,7 @@ main(int argc, char **argv, char **envp) if (nflag) errx(1, "Authorization required"); - if (!(as = auth_userchallenge(myname, NULL, "auth-doas", + if (!(as = auth_userchallenge(myname, login_style, "auth-doas", &challenge))) err(1, "auth challenge failed"); if (!challenge) { |