2 * Copyright (c) 1999-2005 Todd C. Miller <Todd.Miller@courtesan.com>
4 * Permission to use, copy, modify, and distribute this software for any
5 * purpose with or without fee is hereby granted, provided that the above
6 * copyright notice and this permission notice appear in all copies.
8 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16 * Sponsored in part by the Defense Advanced Research Projects
17 * Agency (DARPA) and Air Force Research Laboratory, Air Force
18 * Materiel Command, USAF, under agreement number F39502-99-1-0512.
23 #include <sys/types.h>
24 #include <sys/param.h>
33 #endif /* STDC_HEADERS */
35 # if defined(HAVE_MEMORY_H) && !defined(STDC_HEADERS)
40 # ifdef HAVE_STRINGS_H
43 #endif /* HAVE_STRING_H */
46 #endif /* HAVE_UNISTD_H */
52 #include "sudo_auth.h"
56 __unused static const char rcsid[] = "$Sudo: sudo_auth.c,v 1.33.2.2 2007/06/12 01:28:42 millert Exp $";
59 sudo_auth auth_switch[] = {
60 #ifdef AUTH_STANDALONE
63 # ifndef WITHOUT_PASSWD
64 AUTH_ENTRY(0, "passwd", passwd_init, NULL, passwd_verify, NULL)
66 # if defined(HAVE_GETPRPWNAM) && !defined(WITHOUT_PASSWD)
67 AUTH_ENTRY(0, "secureware", secureware_init, NULL, secureware_verify, NULL)
70 AUTH_ENTRY(0, "afs", NULL, NULL, afs_verify, NULL)
73 AUTH_ENTRY(0, "dce", NULL, NULL, dce_verify, NULL)
76 AUTH_ENTRY(0, "kerb4", kerb4_init, NULL, kerb4_verify, NULL)
79 AUTH_ENTRY(0, "kerb5", kerb5_init, NULL, kerb5_verify, kerb5_cleanup)
82 AUTH_ENTRY(0, "S/Key", NULL, rfc1938_setup, rfc1938_verify, NULL)
85 AUTH_ENTRY(0, "OPIE", NULL, rfc1938_setup, rfc1938_verify, NULL)
87 #endif /* AUTH_STANDALONE */
88 AUTH_ENTRY(0, NULL, NULL, NULL, NULL, NULL)
91 int nil_pw; /* I hate resorting to globals like this... */
94 verify_user(pw, prompt)
98 int counter = def_passwd_tries + 1;
99 int success = AUTH_FAILURE;
106 /* Enable suspend during password entry. */
107 sigemptyset(&sa.sa_mask);
108 sa.sa_flags = SA_RESTART;
109 sa.sa_handler = SIG_DFL;
110 (void) sigaction(SIGTSTP, &sa, &osa);
112 /* Make sure we have at least one auth method. */
113 if (auth_switch[0].name == NULL)
114 log_error(0, "%s %s %s",
115 "There are no authentication methods compiled into sudo!",
116 "If you want to turn off authentication, use the",
117 "--disable-authentication configure option.");
119 /* Set FLAG_ONEANDONLY if there is only one auth method. */
120 if (auth_switch[1].name == NULL)
121 SET(auth_switch[0].flags, FLAG_ONEANDONLY);
123 /* Initialize auth methods and unconfigure the method if necessary. */
124 for (auth = auth_switch; auth->name; auth++) {
125 if (auth->init && IS_CONFIGURED(auth)) {
126 if (NEEDS_USER(auth))
127 set_perms(PERM_USER);
129 status = (auth->init)(pw, &prompt, auth);
130 if (status == AUTH_FAILURE)
131 CLR(auth->flags, FLAG_CONFIGURED);
132 else if (status == AUTH_FATAL) /* XXX log */
133 exit(1); /* assume error msg already printed */
135 if (NEEDS_USER(auth))
136 set_perms(PERM_ROOT);
141 /* Do any per-method setup and unconfigure the method if needed */
142 for (auth = auth_switch; auth->name; auth++) {
143 if (auth->setup && IS_CONFIGURED(auth)) {
144 if (NEEDS_USER(auth))
145 set_perms(PERM_USER);
147 status = (auth->setup)(pw, &prompt, auth);
148 if (status == AUTH_FAILURE)
149 CLR(auth->flags, FLAG_CONFIGURED);
150 else if (status == AUTH_FATAL) /* XXX log */
151 exit(1); /* assume error msg already printed */
153 if (NEEDS_USER(auth))
154 set_perms(PERM_ROOT);
158 /* Get the password unless the auth function will do it for us */
160 #ifdef AUTH_STANDALONE
163 p = (char *) tgetpass(prompt, def_passwd_timeout * 60,
165 if (!p || *p == '\0')
167 #endif /* AUTH_STANDALONE */
169 /* Call authentication functions. */
170 for (auth = auth_switch; p && auth->name; auth++) {
171 if (!IS_CONFIGURED(auth))
174 if (NEEDS_USER(auth))
175 set_perms(PERM_USER);
177 success = auth->status = (auth->verify)(pw, (char *)p, auth);
179 if (NEEDS_USER(auth))
180 set_perms(PERM_ROOT);
182 if (auth->status != AUTH_FAILURE)
185 #ifndef AUTH_STANDALONE
187 zero_bytes(p, strlen(p));
190 /* Exit loop on nil password, but give it a chance to match first. */
192 if (counter == def_passwd_tries)
202 /* Call cleanup routines. */
203 for (auth = auth_switch; auth->name; auth++) {
204 if (auth->cleanup && IS_CONFIGURED(auth)) {
205 if (NEEDS_USER(auth))
206 set_perms(PERM_USER);
208 status = (auth->cleanup)(pw, auth);
209 if (status == AUTH_FATAL) /* XXX log */
210 exit(1); /* assume error msg already printed */
212 if (NEEDS_USER(auth))
213 set_perms(PERM_ROOT);
219 (void) sigaction(SIGTSTP, &osa, NULL);
222 if (def_mail_badpass || def_mail_always)
226 log_error(flags, "%d incorrect password attempt%s",
227 def_passwd_tries - counter,
228 (def_passwd_tries - counter == 1) ? "" : "s");
242 (void) fprintf(fp, "%s\n", INSULT);
245 (void) fprintf(fp, "%s\n", def_badpass_message);
253 (void) fputs("Authentication methods:", stdout);
254 for (auth = auth_switch; auth->name; auth++)
255 (void) printf(" '%s'", auth->name);
256 (void) putchar('\n');