2 * Copyright (c) 1999-2005, 2007 Todd C. Miller <Todd.Miller@courtesan.com>
3 * Copyright (c) 2002 Michael Stroucken <michael@stroucken.org>
5 * Permission to use, copy, modify, and distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16 * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
17 * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
18 * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
20 * Sponsored in part by the Defense Advanced Research Projects
21 * Agency (DARPA) and Air Force Research Laboratory, Air Force
22 * Materiel Command, USAF, under agreement number F39502-99-1-0512.
27 #include <sys/types.h>
28 #include <sys/param.h>
37 #endif /* STDC_HEADERS */
41 # ifdef HAVE_STRINGS_H
44 #endif /* HAVE_STRING_H */
47 #endif /* HAVE_UNISTD_H */
50 /* Needed for SecurID v5.0 Authentication on UNIX */
56 #include "sudo_auth.h"
59 __unused static const char rcsid[] = "$Sudo: securid5.c,v 1.13 2008/11/09 14:13:13 millert Exp $";
63 * securid_init - Initialises communications with ACE server
67 * auth - sudo authentication structure
70 * auth - auth->data contains pointer to new SecurID handle
71 * return code - Fatal if initialization unsuccessful, otherwise
75 securid_init(pw, promptp, auth)
80 static SDI_HANDLE sd_dat; /* SecurID handle */
82 auth->data = (void *) &sd_dat; /* For method-specific data */
84 /* Start communications */
85 if (AceInitialize() != SD_FALSE)
88 warningx("failed to initialise the ACE API library");
93 * securid_setup - Initialises a SecurID transaction and locks out other
97 * pw - struct passwd for username
99 * auth - sudo authentication structure for SecurID handle
102 * return code - Success if transaction started correctly, fatal
106 securid_setup(pw, promptp, auth)
111 SDI_HANDLE *sd = (SDI_HANDLE *) auth->data;
114 /* Re-initialize SecurID every time. */
115 if (SD_Init(sd) != ACM_OK) {
116 warningx("unable to contact the SecurID server");
120 /* Lock new PIN code */
121 retval = SD_Lock(*sd, pw->pw_name);
125 warningx("User ID locked for SecurID Authentication");
126 return(AUTH_SUCCESS);
128 case ACE_UNDEFINED_USERNAME:
129 warningx("invalid username length for SecurID");
132 case ACE_ERR_INVALID_HANDLE:
133 warningx("invalid Authentication Handle for SecurID");
136 case ACM_ACCESS_DENIED:
137 warningx("SecurID communication failed");
141 warningx("unknown SecurID error");
147 * securid_verify - Authenticates user and handles ACE responses
150 * pw - struct passwd for username
152 * auth - sudo authentication structure for SecurID handle
155 * return code - Success on successful authentication, failure on
156 * incorrect authentication, fatal on errors
159 securid_verify(pw, pass, auth)
164 SDI_HANDLE *sd = (SDI_HANDLE *) auth->data;
167 pass = (char *) tgetpass("Enter your PASSCODE: ",
168 def_passwd_timeout * 60, tgetpass_flags);
170 /* Have ACE verify password */
171 switch (SD_Check(*sd, pass, pw->pw_name)) {
176 case ACE_UNDEFINED_PASSCODE:
177 warningx("invalid passcode length for SecurID");
181 case ACE_UNDEFINED_USERNAME:
182 warningx("invalid username length for SecurID");
186 case ACE_ERR_INVALID_HANDLE:
187 warningx("invalid Authentication Handle for SecurID");
191 case ACM_ACCESS_DENIED:
195 case ACM_NEXT_CODE_REQUIRED:
196 /* Sometimes (when current token close to expire?)
197 ACE challenges for the next token displayed
198 (entered without the PIN) */
199 pass = (char *) tgetpass("\
201 Wait for the token code to change, \n\
202 then enter the new token code.\n", \
203 def_passwd_timeout * 60, tgetpass_flags);
205 if (SD_Next(*sd, pass) == ACM_OK) {
213 case ACM_NEW_PIN_REQUIRED:
215 * This user's SecurID has not been activated yet,
216 * or the pin has been reset
218 /* XXX - Is setting up a new PIN within sudo's scope? */
220 fprintf(stderr, "Your SecurID access has not yet been set up.\n");
221 fprintf(stderr, "Please set up a PIN before you try to authenticate.\n");
226 warningx("unknown SecurID error");
234 /* Return stored state to calling process */