2 * Copyright (c) 2000-2001 Todd C. Miller <Todd.Miller@courtesan.com>
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
9 * 1. Redistributions of source code must retain the above copyright
10 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
16 * 3. The name of the author may not be used to endorse or promote products
17 * derived from this software without specific prior written permission.
19 * 4. Products derived from this software may not be called "Sudo" nor
20 * may "Sudo" appear in their names without specific prior written
21 * permission from the author.
23 * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
24 * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
25 * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL
26 * THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
27 * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
28 * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
29 * OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
30 * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
31 * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
32 * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
37 #include <sys/types.h>
38 #include <sys/param.h>
47 #endif /* STDC_HEADERS */
51 # ifdef HAVE_STRINGS_H
54 #endif /* HAVE_STRING_H */
57 #endif /* HAVE_UNISTD_H */
62 #include <login_cap.h>
66 #include "sudo_auth.h"
69 static const char rcsid[] = "$Sudo: bsdauth.c,v 1.8 2002/01/22 03:37:55 millert Exp $";
72 extern char *login_style; /* from sudo.c */
75 bsdauth_init(pw, promptp, auth)
80 static auth_session_t *as;
81 extern login_cap_t *lc; /* from sudo.c */
83 if ((as = auth_open()) == NULL) {
84 log_error(USE_ERRNO|NO_EXIT|NO_MAIL,
85 "unable to begin bsd authentication");
89 /* XXX - maybe sanity check the auth style earlier? */
90 login_style = login_getstyle(lc, login_style, "auth-sudo");
91 if (login_style == NULL) {
92 log_error(NO_EXIT|NO_MAIL, "invalid authentication type");
97 if (auth_setitem(as, AUTHV_STYLE, login_style) < 0 ||
98 auth_setitem(as, AUTHV_NAME, pw->pw_name) < 0 ||
99 auth_setitem(as, AUTHV_CLASS, login_class) < 0) {
100 log_error(NO_EXIT|NO_MAIL, "unable to setup authentication");
105 auth->data = (VOID *) as;
106 return(AUTH_SUCCESS);
110 bsdauth_verify(pw, prompt, auth)
119 auth_session_t *as = (auth_session_t *) auth->data;
122 /* save old signal handler */
123 sigemptyset(&sa.sa_mask);
124 sa.sa_flags = SA_RESTART;
125 sa.sa_handler = SIG_DFL;
126 (void) sigaction(SIGCHLD, &sa, &osa);
129 * If there is a challenge then print that instead of the normal
130 * prompt. If the user just hits return we prompt again with echo
131 * turned on, which is useful for challenge/response things like
134 if ((s = auth_challenge(as)) == NULL) {
135 pass = tgetpass(prompt, def_ival(I_PASSWD_TIMEOUT) * 60, tgetpass_flags);
137 pass = tgetpass(s, def_ival(I_PASSWD_TIMEOUT) * 60, tgetpass_flags);
138 if (pass && *pass == '\0') {
139 if ((prompt = strrchr(s, '\n')))
145 * Append '[echo on]' to the last line of the challenge and
146 * reprompt with echo turned on.
148 len = strlen(prompt) - 1;
149 while (isspace(prompt[len]) || prompt[len] == ':')
150 prompt[len--] = '\0';
151 easprintf(&s, "%s [echo on]: ", prompt);
152 pass = tgetpass(s, def_ival(I_PASSWD_TIMEOUT) * 60,
153 tgetpass_flags | TGP_ECHO);
158 if (!pass || *pass == '\0') /* ^C or empty password */
162 authok = auth_userresponse(as, pass, 1);
163 memset(pass, 0, strlen(pass));
166 /* restore old signal handler */
167 (void) sigaction(SIGCHLD, &osa, NULL);
170 return(AUTH_SUCCESS);
172 if ((s = auth_getvalue(as, "errormsg")) != NULL)
173 log_error(NO_EXIT|NO_MAIL, "%s", s);
174 return(AUTH_FAILURE);
178 bsdauth_cleanup(pw, auth)
182 auth_session_t *as = (auth_session_t *) auth->data;
186 return(AUTH_SUCCESS);