AUTH_ENTRY("kerb4", 0, kerb4_init, NULL, kerb4_verify, NULL, NULL, NULL)
#endif
#ifdef HAVE_KERB5
- AUTH_ENTRY("kerb5", 0, kerb5_init, NULL, kerb5_verify, kerb5_cleanup, NULL, NULL)
+ AUTH_ENTRY("kerb5", 0, kerb5_init, kerb5_setup, kerb5_verify, kerb5_cleanup, NULL, NULL)
#endif
#ifdef HAVE_SKEY
AUTH_ENTRY("S/Key", 0, NULL, rfc1938_setup, rfc1938_verify, NULL, NULL, NULL)
AUTH_ENTRY(NULL, 0, NULL, NULL, NULL, NULL, NULL, NULL)
};
+static int standalone;
+
extern char **NewArgv; /* XXX - for auditing */
static void pass_warn(void);
int
-verify_user(struct passwd *pw, char *prompt)
+sudo_auth_init(struct passwd *pw)
{
- int counter = def_passwd_tries + 1;
- int success = AUTH_FAILURE;
- int flags, status, standalone, rval;
- char *p;
sudo_auth *auth;
- sigaction_t sa, osa;
-
- /* Enable suspend during password entry. */
- sigemptyset(&sa.sa_mask);
- sa.sa_flags = SA_RESTART;
- sa.sa_handler = SIG_DFL;
- (void) sigaction(SIGTSTP, &sa, &osa);
+ int status = AUTH_SUCCESS;
- /* Make sure we have at least one auth method. */
- if (auth_switch[0].name == NULL) {
- audit_failure(NewArgv, "no authentication methods");
- log_error(0,
- _("There are no authentication methods compiled into sudo! "
- "If you want to turn off authentication, use the "
- "--disable-authentication configure option."));
- return -1;
- }
+ if (auth_switch[0].name == NULL)
+ return TRUE;
/* Make sure we haven't mixed standalone and shared auth methods. */
standalone = IS_STANDALONE(&auth_switch[0]);
if (NEEDS_USER(auth))
set_perms(PERM_USER);
- status = (auth->init)(pw, &prompt, auth);
+ status = (auth->init)(pw, auth);
+
+ if (NEEDS_USER(auth))
+ restore_perms();
+
if (status == AUTH_FAILURE)
SET(auth->flags, FLAG_DISABLED);
- else if (status == AUTH_FATAL) { /* XXX log */
+ else if (status == AUTH_FATAL) {
+ /* XXX log */
audit_failure(NewArgv, "authentication failure");
- return -1; /* assume error msg already printed */
+ break; /* assume error msg already printed */
}
+ }
+ }
+ return status == AUTH_FATAL ? -1 : TRUE;
+}
+
+int
+sudo_auth_cleanup(struct passwd *pw)
+{
+ sudo_auth *auth;
+ int status = AUTH_SUCCESS;
+
+ /* Call cleanup routines. */
+ for (auth = auth_switch; auth->name; auth++) {
+ if (auth->cleanup && !IS_DISABLED(auth)) {
+ if (NEEDS_USER(auth))
+ set_perms(PERM_USER);
+
+ status = (auth->cleanup)(pw, auth);
if (NEEDS_USER(auth))
restore_perms();
+
+ if (status == AUTH_FATAL) {
+ /* XXX log */
+ audit_failure(NewArgv, "authentication failure");
+ break; /* assume error msg already printed */
+ }
}
}
+ return status == AUTH_FATAL ? -1 : TRUE;
+}
+
+int
+verify_user(struct passwd *pw, char *prompt)
+{
+ int counter = def_passwd_tries + 1;
+ int success = AUTH_FAILURE;
+ int flags, status, rval;
+ char *p;
+ sudo_auth *auth;
+ sigaction_t sa, osa;
+
+ /* Enable suspend during password entry. */
+ sigemptyset(&sa.sa_mask);
+ sa.sa_flags = SA_RESTART;
+ sa.sa_handler = SIG_DFL;
+ (void) sigaction(SIGTSTP, &sa, &osa);
+
+ /* Make sure we have at least one auth method. */
+ /* XXX - check FLAG_DISABLED too */
+ if (auth_switch[0].name == NULL) {
+ audit_failure(NewArgv, "no authentication methods");
+ log_error(0,
+ _("There are no authentication methods compiled into sudo! "
+ "If you want to turn off authentication, use the "
+ "--disable-authentication configure option."));
+ return -1;
+ }
while (--counter) {
/* Do any per-method setup and unconfigure the method if needed */
set_perms(PERM_USER);
status = (auth->setup)(pw, &prompt, auth);
+
+ if (NEEDS_USER(auth))
+ restore_perms();
+
if (status == AUTH_FAILURE)
SET(auth->flags, FLAG_DISABLED);
- else if (status == AUTH_FATAL) {/* XXX log */
+ else if (status == AUTH_FATAL) {
+ /* XXX log */
audit_failure(NewArgv, "authentication failure");
return -1; /* assume error msg already printed */
}
-
- if (NEEDS_USER(auth))
- restore_perms();
}
}
restore_perms();
if (auth->status != AUTH_FAILURE)
- goto cleanup;
+ goto done;
}
if (!standalone)
zero_bytes(p, strlen(p));
pass_warn();
}
-cleanup:
- /* Call cleanup routines. */
- for (auth = auth_switch; auth->name; auth++) {
- if (auth->cleanup && !IS_DISABLED(auth)) {
- if (NEEDS_USER(auth))
- set_perms(PERM_USER);
-
- status = (auth->cleanup)(pw, auth);
- if (status == AUTH_FATAL) { /* XXX log */
- audit_failure(NewArgv, "authentication failure");
- return -1; /* assume error msg already printed */
- }
-
- if (NEEDS_USER(auth))
- restore_perms();
- }
- }
-
+done:
switch (success) {
case AUTH_SUCCESS:
(void) sigaction(SIGTSTP, &osa, NULL);
return rval;
}
-int auth_begin_session(struct passwd *pw)
+int
+sudo_auth_begin_session(struct passwd *pw)
{
sudo_auth *auth;
int status;
for (auth = auth_switch; auth->name; auth++) {
if (auth->begin_session && !IS_DISABLED(auth)) {
status = (auth->begin_session)(pw, auth);
- if (status == AUTH_FATAL) { /* XXX log */
+ if (status == AUTH_FATAL) {
+ /* XXX log */
audit_failure(NewArgv, "authentication failure");
return -1; /* assume error msg already printed */
}
return TRUE;
}
-int auth_end_session(void)
+int
+sudo_auth_end_session(struct passwd *pw)
{
sudo_auth *auth;
int status;
for (auth = auth_switch; auth->name; auth++) {
if (auth->end_session && !IS_DISABLED(auth)) {
- status = (auth->end_session)(auth);
- if (status == AUTH_FATAL) { /* XXX log */
+ status = (auth->end_session)(pw, auth);
+ if (status == AUTH_FATAL) {
+ /* XXX log */
return -1; /* assume error msg already printed */
}
}