Attachment #246462 for bug #336449

View | Details | Raw Unified | Return to bug 336449
Collapse All | Expand All

Lines 21-27 Link Here

(-)pam_skey-1.1.5.orig/README (-7 / +13 lines)
21	- The options accepted by the pam_skey.so module are different, as	21	- The options accepted by the pam_skey.so module are different, as
22	described below.	22	described below.
23		23
24	Four options are accepted by the pam_skey.so module:	24	Five options are accepted by the pam_skey.so module:
25	debug - This option turns on debug logging.	25	debug - This option turns on debug logging.
26	try_first_pass - This option tells the module to first try using	26	try_first_pass - This option tells the module to first try using
27	the authentication token passed from the	27	the authentication token passed from the
Lines 44-49 Link Here
44	cause the module to pass the given password to the	44	cause the module to pass the given password to the
45	next module in the authentication stack (usually	45	next module in the authentication stack (usually
46	pam_unix.so with the try_first_pass option).	46	pam_unix.so with the try_first_pass option).
		47	require_skey - This options tells the module to require S/Key
		48	authentication if the user has S/Key set. When
		49	this option is set, it is possible to require both
		50	S/Key and other authentication method (like
		51	password) for successful login. This is mutually
		52	exclusive with no_default_skey.
47		53
48	The exact behavior of pam_skey.so is detailed below:	54	The exact behavior of pam_skey.so is detailed below:
49		55
Lines 54-74 Link Here
54	if it is a valid response to the current S/Key challenge. If so,	60	if it is a valid response to the current S/Key challenge. If so,
55	return PAM_SUCCESS.	61	return PAM_SUCCESS.
56	3a. If the token is invalid and use_first_pass is enabled, return	62	3a. If the token is invalid and use_first_pass is enabled, return
57	PAM_IGNORE.	63	PAM_IGNORE (or PAM_AUTHERR if require_skey is set).
58	4. If no_default_skey is enabled, issue a "Password: " prompt.	64	4. If no_default_skey is enabled, issue a "Password: " prompt.
59	4a. If the response is anything besides "s/key" (case insensitive),	65	4a. If the response is anything besides "s/key" (case insensitive),
60	store it as the authentication token and return PAM_IGNORE.	66	store it as the authentication token and return PAM_IGNORE.
61	5. Display the current S/Key challenge and request a response, with	67	5. Display the current S/Key challenge and request a response, with
62	input not echoed. If no_default_skey is enabled, this will only be	68	input not echoed. If no_default_skey or require_skey is enabled,
63	an S/Key response request; otherwise, it will request either an	69	this will only be an S/Key response request; otherwise, it will
64	S/Key response or a system passsword.	70	request either an S/Key response or a system passsword.
65	5a. If an empty response is given, request the S/Key response again,	71	5a. If an empty response is given, request the S/Key response again,
66	this time with input echoed.	72	this time with input echoed.
67	5b. If the response is a valid S/Key response, return PAM_SUCCESS.	73	5b. If the response is a valid S/Key response, return PAM_SUCCESS.
68	Otherwise, return PAM_AUTHERR.	74	Otherwise, return PAM_AUTHERR.
69	6. If the response is a valid S/Key response, return PAM_SUCCESS.	75	6. If the response is a valid S/Key response, return PAM_SUCCESS.
70	7. Otherwise, if no_default_skey is enabled (the user specifically	76	7. Otherwise, if no_default_skey or require_skey is enabled (the user
71	requested "s/key" authentication), return PAM_AUTHERR.	77	specifically requested "s/key" authentication), return PAM_AUTHERR.
72	8. Otherwise, store the response as the authentication token and	78	8. Otherwise, store the response as the authentication token and
73	return PAM_IGNORE.	79	return PAM_IGNORE.
74		80

Lines 110-116 Link Here

(-)pam_skey-1.1.5.orig/pam_skey.c (-3 / +7 lines)
110	if (skey_passcheck(username, response) != -1) {	110	if (skey_passcheck(username, response) != -1) {
111	return PAM_SUCCESS;	111	return PAM_SUCCESS;
112	} else if (mod_opt & _MOD_USE_FIRST_PASS) {	112	} else if (mod_opt & _MOD_USE_FIRST_PASS) {
113	return PAM_IGNORE;	113	if (mod_opt & _MOD_REQUIRE_SKEY) {
		114	return PAM_AUTH_ERR;
		115	} else {
		116	return PAM_IGNORE;
		117	}
114	}	118	}
115	} else if (mod_opt & _MOD_USE_FIRST_PASS) {	119	} else if (mod_opt & _MOD_USE_FIRST_PASS) {
116	return PAM_AUTHTOK_RECOVER_ERR;	120	return PAM_AUTHTOK_RECOVER_ERR;
Lines 138-144 Link Here
138	return PAM_AUTHINFO_UNAVAIL;	142	return PAM_AUTHINFO_UNAVAIL;
139	}	143	}
140		144
141	if (mod_opt & _MOD_NO_DEFAULT_SKEY)	145	if ((mod_opt & _MOD_NO_DEFAULT_SKEY) \|\| (mod_opt & _MOD_REQUIRE_SKEY))
142	status = mod_talk_touser(pamh, mod_opt, challenge, QUERY_RESPONSE, 0, &response);	146	status = mod_talk_touser(pamh, mod_opt, challenge, QUERY_RESPONSE, 0, &response);
143	else	147	else
144	status = mod_talk_touser(pamh, mod_opt, challenge, QUERY_RESPONSE_OR_PASSWORD, 0, &response);	148	status = mod_talk_touser(pamh, mod_opt, challenge, QUERY_RESPONSE_OR_PASSWORD, 0, &response);
Lines 166-172 Link Here
166	return PAM_SUCCESS;	170	return PAM_SUCCESS;
167	}	171	}
168		172
169	if (mod_opt & _MOD_NO_DEFAULT_SKEY) {	173	if ((mod_opt & _MOD_NO_DEFAULT_SKEY) \|\| (mod_opt & _MOD_REQUIRE_SKEY)) {
170	_pam_delete(response);	174	_pam_delete(response);
171	return PAM_AUTH_ERR;	175	return PAM_AUTH_ERR;
172	}	176	}




#define _MOD_TRY_FIRST_PASS  0x0002	/* Attempt using PAM_AUTHTOK */
#define _MOD_USE_FIRST_PASS  0x0004	/* Only use PAM_AUTHTOK */
#define _MOD_NO_DEFAULT_SKEY 0x0008	/* Don't use S/Key by default */
#define _MOD_REQUIRE_SKEY    0x0010	/* Require S/Key if set */

/* Setup defaults - use echo off only */
#define _MOD_DEFAULT_FLAG   _MOD_NONE_ON
#define _MOD_DEFAULT_MASK   _MOD_ALL_ON

/* Number of parameters currently known */
#define _MOD_ARGS           5

/* Structure for flexible argument parsing */
typedef struct

  {"debug",            _MOD_ALL_ON,                   _MOD_DEBUG},
  {"try_first_pass",   _MOD_ALL_ON,                   _MOD_TRY_FIRST_PASS},
  {"use_first_pass",   _MOD_ALL_ON,                   _MOD_USE_FIRST_PASS},
  {"no_default_skey",  (~_MOD_REQUIRE_SKEY),          _MOD_NO_DEFAULT_SKEY},
  {"require_skey",     (~_MOD_NO_DEFAULT_SKEY),       _MOD_REQUIRE_SKEY}
};

Return to bug 336449

Lines 78-90 Link Here

(-)pam_skey-1.1.5.orig/pam_skey.h (-2 / +4 lines)
78	#define _MOD_TRY_FIRST_PASS 0x0002 /* Attempt using PAM_AUTHTOK */	78	#define _MOD_TRY_FIRST_PASS 0x0002 /* Attempt using PAM_AUTHTOK */
79	#define _MOD_USE_FIRST_PASS 0x0004 /* Only use PAM_AUTHTOK */	79	#define _MOD_USE_FIRST_PASS 0x0004 /* Only use PAM_AUTHTOK */
80	#define _MOD_NO_DEFAULT_SKEY 0x0008 /* Don't use S/Key by default */	80	#define _MOD_NO_DEFAULT_SKEY 0x0008 /* Don't use S/Key by default */
		81	#define _MOD_REQUIRE_SKEY 0x0010 /* Require S/Key if set */
81		82
82	/* Setup defaults - use echo off only */	83	/* Setup defaults - use echo off only */
83	#define _MOD_DEFAULT_FLAG _MOD_NONE_ON	84	#define _MOD_DEFAULT_FLAG _MOD_NONE_ON
84	#define _MOD_DEFAULT_MASK _MOD_ALL_ON	85	#define _MOD_DEFAULT_MASK _MOD_ALL_ON
85		86
86	/* Number of parameters currently known */	87	/* Number of parameters currently known */
87	#define _MOD_ARGS 4	88	#define _MOD_ARGS 5
88		89
89	/* Structure for flexible argument parsing */	90	/* Structure for flexible argument parsing */
90	typedef struct	91	typedef struct
Lines 101-105 Link Here
101	{"debug", _MOD_ALL_ON, _MOD_DEBUG},	102	{"debug", _MOD_ALL_ON, _MOD_DEBUG},
102	{"try_first_pass", _MOD_ALL_ON, _MOD_TRY_FIRST_PASS},	103	{"try_first_pass", _MOD_ALL_ON, _MOD_TRY_FIRST_PASS},
103	{"use_first_pass", _MOD_ALL_ON, _MOD_USE_FIRST_PASS},	104	{"use_first_pass", _MOD_ALL_ON, _MOD_USE_FIRST_PASS},
104	{"no_default_skey", _MOD_ALL_ON, _MOD_NO_DEFAULT_SKEY}	105	{"no_default_skey", (~_MOD_REQUIRE_SKEY), _MOD_NO_DEFAULT_SKEY},
		106	{"require_skey", (~_MOD_NO_DEFAULT_SKEY), _MOD_REQUIRE_SKEY}
105	};	107	};