Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 81505 Details for
Bug 55279
sys-auth/pam_skey-1.1.4 (new ebuild)
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
pam_skey-1.1.4-gentoo.patch (take 2)
pam_skey-1.1.4-gentoo.patch (text/plain), 55.07 KB, created by
Ulrich Müller
on 2006-03-06 03:13:44 UTC
(
hide
)
Description:
pam_skey-1.1.4-gentoo.patch (take 2)
Filename:
MIME Type:
Creator:
Ulrich Müller
Created:
2006-03-06 03:13:44 UTC
Size:
55.07 KB
patch
obsolete
>diff -Nur pam_skey-1.1.4/INSTALL pam_skey/INSTALL >--- pam_skey-1.1.4/INSTALL 2005-06-18 14:11:24.000000000 +0200 >+++ pam_skey/INSTALL 2006-03-06 09:26:55.000000000 +0100 >@@ -1,5 +1,39 @@ > $Id: INSTALL,v 1.1.1.1 2005/06/18 12:11:24 kreator Exp $ > >+Gentoo patch >+------------ >+Most everything below still holds, though the libraries required are now >+those used by Gentoo. Other S/Key libraries may work with a bit of >+tweaking. >+ >+The options listed for the module below are no longer valid. See the >+Gentoo patch section in README for details. >+ >+The intended method for configuring PAM is by using the newer module >+specification, with a line like: >+ >+auth [success=done ignore=ignore auth_err=die default=bad] /lib/security/pam_skey.so >+ >+This is a combination of the standard "sufficient" and "requisite" >+specifications: >+ >+- If the module returns PAM_SUCCESS, we are authenticated and no other >+ modules should be tested. >+- If the module returns PAM_IGNORE, then the module didn't accept its >+ input as an S/Key response, and the next module should try using >+ the input (using the try_first_pass option). >+- If the module returns PAM_AUTH_ERR, then the module accepted an >+ S/Key input but it was invalid. Do not try any more modules in the >+ stack; the user already chose S/Key authentication. >+- If the module returns any other code, it is a simple error in processing. >+ Set the error flag but try other modules, just in case. >+ >+The module is intended to be placed before another authentication module, >+like pam_unix.so; if not, it should be placed before pam_deny.so. >+ >+If the newer module specification is unavailable in your version of PAM, >+the "sufficient" specification will work. >+ > Required > -------- > For building this package you will probably need original Wietse Venema's >diff -Nur pam_skey-1.1.4/Makefile.in pam_skey/Makefile.in >--- pam_skey-1.1.4/Makefile.in 2005-06-18 14:11:24.000000000 +0200 >+++ pam_skey/Makefile.in 2006-03-06 09:26:55.000000000 +0100 >@@ -12,42 +12,26 @@ > LIBS=@LIBS@ @SKEYLIB@ @PAMLIB@ > LDFLAGS=@LDFLAGS@ > >-INSTALL=@INSTALL@ -m 644 >+INSTALL=@INSTALL@ >+INSTALL_LIB=${INSTALL} -m 755 > RM=@RM@ -f > CP=@CP@ -f > LN=@LN@ -s > AWK=@AWK@ > >-PAM_FILES=pam_skey.so.1 pam_skey_access.so.1 >+PAM_FILES=pam_skey.so > > all: $(PAM_FILES) > >-pam_skey.so.1: pam_skey.o >- $(CC) $(CFLAGS) -o $@ $< $(LIBS) $(LDFLAGS) >- >-pam_skey_access.so.1: pam_skey_access.o >+pam_skey.so: pam_skey.o > $(CC) $(CFLAGS) -o $@ $< $(LIBS) $(LDFLAGS) > > lint-pam_skey: > lclint $(CFLAGS) pam_skey.c > >-lint-pam_skey_access: >- lclint $(CFLAGS) pam_skey_access.c >- >-install: >- @if test ! -d $(INSTALLDIR); then \ >- echo "Missing $(INSTALLDIR). Problem with PAM installation?"; \ >- else \ >- for file in $(PAM_FILES); do \ >- if test ! -f "$(INSTALLDIR)/$$file"; then \ >- echo "Installing $$file in $(INSTALLDIR)"; \ >- $(INSTALL) "$$file" "$(INSTALLDIR)/$$file"; \ >- (cd $(INSTALLDIR) && $(LN) "$$file" `echo $$file | cut -d. -f1,2`); \ >- else \ >- echo "$$file exists - will not overwrite it"; \ >- fi \ >- done \ >- fi >+install: all >+ $(INSTALL) -d $(INSTALLDIR) >+ $(INSTALL_LIB) $(PAM_FILES) $(INSTALLDIR) > > clean: > $(RM) a.out core *.so.1 *.o *.bak >diff -Nur pam_skey-1.1.4/README pam_skey/README >--- pam_skey-1.1.4/README 2005-06-18 14:36:18.000000000 +0200 >+++ pam_skey/README 2006-03-06 09:26:55.000000000 +0100 >@@ -1,5 +1,77 @@ > $Id: README,v 1.2 2005/06/18 12:36:18 kreator Exp $ > >+Gentoo patch >+------------ >+ >+The Gentoo pam_skey patch changes the original module in a number of ways. >+The behavior of the module is changed to make it more consistent with the >+PAM design, and several changes were made throughout the code to make the >+module interact better with the skey library used by Gentoo. Many of >+these changes will break pam_skey's compatibility with other systems and >+libraries, but this is, after all, the Gentoo patch. >+ >+A (not necessarily) exhaustive list of the changes is as follows: >+- pam_skey_access.so is completely removed, since the Gentoo skey library >+ does not support the skey_access() call. >+- The pam_skey.so authentication code is completely rewritten. The >+ original code contained many references to the standard I/O library >+ (writing to stderr, etc.), as well as inconsistent communication with >+ the PAM libraries. Also, the authentication process is different, as >+ described below. >+- The options accepted by the pam_skey.so module are different, as >+ described below. >+ >+Four options are accepted by the pam_skey.so module: >+ debug - This option turns on debug logging. >+ try_first_pass - This option tells the module to first try using >+ the authentication token passed from the >+ previous module as an S/Key response, before >+ informing the user of the challenge. If the >+ token is not valid, the module will proceed with >+ the standard process of challenging the user >+ and requesting a response, subject to the >+ no_default_skey option below. >+ use_first_pass - This option is identical to the try_first_pass >+ option, except that if the token is not valid, >+ it will return silently without challenging the >+ user. >+ no_default_skey - This flag changes the behavior of pam_skey. >+ Instead of immediately challenging the user with >+ an S/Key challenge, it will present the user with >+ a standard "Password: " prompt. If the user enters >+ the password "s/key" (case insensitive), it will >+ then challenge the user. Any other input will >+ cause the module to pass the given password to the >+ next module in the authentication stack (usually >+ pam_unix.so with the try_first_pass option). >+ >+The exact behavior of pam_skey.so is detailed below: >+ >+1. Retrieve username from PAM, possibly querying the user for it. >+2. If the user does not have any S/Key information, return PAM_IGNORE to >+ proceed to the next module in the stack. >+3. If *_first_pass is enabled, check the given authentication token to see >+ if it is a valid response to the current S/Key challenge. If so, >+ return PAM_SUCCESS. >+ 3a. If the token is invalid and use_first_pass is enabled, return >+ PAM_IGNORE. >+4. If no_default_skey is enabled, issue a "Password: " prompt. >+ 4a. If the response is anything besides "s/key" (case insensitive), >+ store it as the authentication token and return PAM_IGNORE. >+5. Display the current S/Key challenge and request a response, with >+ input not echoed. If no_default_skey is enabled, this will only be >+ an S/Key response request; otherwise, it will request either an >+ S/Key response or a system passsword. >+ 5a. If an empty response is given, request the S/Key response again, >+ this time with input echoed. >+ 5b. If the response is a valid S/Key response, return PAM_SUCCESS. >+ Otherwise, return PAM_AUTHERR. >+6. If the response is a valid S/Key response, return PAM_SUCCESS. >+7. Otherwise, if no_default_skey is enabled (the user specifically >+ requested "s/key" authentication), return PAM_AUTHERR. >+8. Otherwise, store the response as the authentication token and >+ return PAM_IGNORE. >+ > About > ----- > This is complete pam_skey modul as interface to existing S/Key >diff -Nur pam_skey-1.1.4/autoconf/acconfig.h pam_skey/autoconf/acconfig.h >--- pam_skey-1.1.4/autoconf/acconfig.h 2005-06-18 14:11:24.000000000 +0200 >+++ pam_skey/autoconf/acconfig.h 2006-03-06 09:26:55.000000000 +0100 >@@ -1,17 +1,2 @@ > /* Define if we can include both string.h and strings.h */ > #undef STRING_WITH_STRINGS >- >-/* Define if you have Linux */ >-#undef LINUX >- >-/* Define if you have *BSD */ >-#undef BSD >- >-/* Define if not missing skeyaccess() */ >-#undef HAVE_SKEYACCESS >- >-/* Define if not missing skeyinfo() */ >-#undef HAVE_SKEYINFO >- >-/* Define if you have skeylookup() instead of skeyinfo() */ >-#undef HAVE_SKEYLOOKUP >diff -Nur pam_skey-1.1.4/autoconf/configure.in pam_skey/autoconf/configure.in >--- pam_skey-1.1.4/autoconf/configure.in 2005-06-18 14:11:24.000000000 +0200 >+++ pam_skey/autoconf/configure.in 2006-03-06 09:26:55.000000000 +0100 >@@ -10,21 +10,9 @@ > AC_LANG_C > AC_LANG_SAVE > >-dnl Get system type >-AC_CANONICAL_HOST >-MYHOST=$host_os >-case "$host_os" in >-*linux*) >- AC_DEFINE(LINUX) >- ;; >-*bsd*) >- AC_DEFINE(BSD) >- ;; >-esac >- > dnl Package information > PACKAGE=pam_skey >-VERSION=1.1 >+VERSION=1.4r1 > > dnl Standard installation path > AC_PREFIX_DEFAULT(/usr) >@@ -65,13 +53,9 @@ > AC_ARG_WITH(skey-inc, [ --with-skey-inc=DIR Directory containing skey include files], CFLAGS="${CFLAGS} -I${withval}") > > dnl Check for skey library >-AC_CHECK_LIB(socket, socket) >-AC_CHECK_LIB(nsl, gethostbyname) >+AC_CHECK_LIB(socket, socket, LIBS="${LIBS} -lsocket") >+AC_CHECK_LIB(nsl, gethostbyname, LIBS="${LIBS} -lnsl") > AC_CHECK_LIB(skey, skeyverify, SKEYLIB="-lskey", AC_MSG_ERROR(skey library not found or unknown interface)) >-AC_CHECK_LIB(skey, skeyaccess, AC_DEFINE(HAVE_SKEYACCESS)) >-AC_CHECK_LIB(skey, skeyinfo, AC_DEFINE(HAVE_SKEYINFO), >- AC_CHECK_LIB(skey, skeylookup, AC_DEFINE(HAVE_SKEYLOOKUP)) >-) > > dnl Check against -G linker flag > hold_ldflags=$LDFLAGS >diff -Nur pam_skey-1.1.4/configure pam_skey/configure >--- pam_skey-1.1.4/configure 2005-06-18 14:36:18.000000000 +0200 >+++ pam_skey/configure 2006-03-06 09:27:41.000000000 +0100 >@@ -310,7 +310,7 @@ > # include <unistd.h> > #endif" > >-ac_subst_vars='SHELL PATH_SEPARATOR PACKAGE_NAME PACKAGE_TARNAME PACKAGE_VERSION PACKAGE_STRING PACKAGE_BUGREPORT exec_prefix prefix program_transform_name bindir sbindir libexecdir datadir sysconfdir sharedstatedir localstatedir libdir includedir oldincludedir infodir mandir build_alias host_alias target_alias DEFS ECHO_C ECHO_N ECHO_T LIBS build build_cpu build_vendor build_os host host_cpu host_vendor host_os CC CFLAGS LDFLAGS CPPFLAGS ac_ct_CC EXEEXT OBJEXT SET_MAKE RM LN CP AWK INSTALL_PROGRAM INSTALL_SCRIPT INSTALL_DATA CPP EGREP SKEYLIB PAMLIB MYHOST PACKAGE VERSION LIBOBJS LTLIBOBJS' >+ac_subst_vars='SHELL PATH_SEPARATOR PACKAGE_NAME PACKAGE_TARNAME PACKAGE_VERSION PACKAGE_STRING PACKAGE_BUGREPORT exec_prefix prefix program_transform_name bindir sbindir libexecdir datadir sysconfdir sharedstatedir localstatedir libdir includedir oldincludedir infodir mandir build_alias host_alias target_alias DEFS ECHO_C ECHO_N ECHO_T LIBS CC CFLAGS LDFLAGS CPPFLAGS ac_ct_CC EXEEXT OBJEXT SET_MAKE RM LN CP AWK INSTALL_PROGRAM INSTALL_SCRIPT INSTALL_DATA CPP EGREP SKEYLIB PAMLIB MYHOST PACKAGE VERSION LIBOBJS LTLIBOBJS' > ac_subst_files='' > > # Initialize some variables set by options. >@@ -720,13 +720,13 @@ > /^X\(\/\).*/{ s//\1/; q; } > s/.*/./; q'` > srcdir=$ac_confdir >- if test ! -r $srcdir/$ac_unique_file; then >+ if test ! -r "$srcdir/$ac_unique_file"; then > srcdir=.. > fi > else > ac_srcdir_defaulted=no > fi >-if test ! -r $srcdir/$ac_unique_file; then >+if test ! -r "$srcdir/$ac_unique_file"; then > if test "$ac_srcdir_defaulted" = yes; then > { echo "$as_me: error: cannot find sources ($ac_unique_file) in $ac_confdir or .." >&2 > { (exit 1); exit 1; }; } >@@ -735,7 +735,7 @@ > { (exit 1); exit 1; }; } > fi > fi >-(cd $srcdir && test -r ./$ac_unique_file) 2>/dev/null || >+(cd $srcdir && test -r "./$ac_unique_file") 2>/dev/null || > { echo "$as_me: error: sources are in $srcdir, but \`cd $srcdir' does not work" >&2 > { (exit 1); exit 1; }; } > srcdir=`echo "$srcdir" | sed 's%\([^\\/]\)[\\/]*$%\1%'` >@@ -831,10 +831,6 @@ > _ACEOF > > cat <<\_ACEOF >- >-System types: >- --build=BUILD configure for building on BUILD [guessed] >- --host=HOST cross-compile to build programs to run on HOST [BUILD] > _ACEOF > fi > >@@ -948,7 +944,7 @@ > else > echo "$as_me: WARNING: no configuration information is in $ac_dir" >&2 > fi >- cd "$ac_popdir" >+ cd $ac_popdir > done > fi > >@@ -1333,78 +1329,8 @@ > > > >-# Make sure we can run config.sub. >-$ac_config_sub sun4 >/dev/null 2>&1 || >- { { echo "$as_me:$LINENO: error: cannot run $ac_config_sub" >&5 >-echo "$as_me: error: cannot run $ac_config_sub" >&2;} >- { (exit 1); exit 1; }; } >- >-echo "$as_me:$LINENO: checking build system type" >&5 >-echo $ECHO_N "checking build system type... $ECHO_C" >&6 >-if test "${ac_cv_build+set}" = set; then >- echo $ECHO_N "(cached) $ECHO_C" >&6 >-else >- ac_cv_build_alias=$build_alias >-test -z "$ac_cv_build_alias" && >- ac_cv_build_alias=`$ac_config_guess` >-test -z "$ac_cv_build_alias" && >- { { echo "$as_me:$LINENO: error: cannot guess build type; you must specify one" >&5 >-echo "$as_me: error: cannot guess build type; you must specify one" >&2;} >- { (exit 1); exit 1; }; } >-ac_cv_build=`$ac_config_sub $ac_cv_build_alias` || >- { { echo "$as_me:$LINENO: error: $ac_config_sub $ac_cv_build_alias failed" >&5 >-echo "$as_me: error: $ac_config_sub $ac_cv_build_alias failed" >&2;} >- { (exit 1); exit 1; }; } >- >-fi >-echo "$as_me:$LINENO: result: $ac_cv_build" >&5 >-echo "${ECHO_T}$ac_cv_build" >&6 >-build=$ac_cv_build >-build_cpu=`echo $ac_cv_build | sed 's/^\([^-]*\)-\([^-]*\)-\(.*\)$/\1/'` >-build_vendor=`echo $ac_cv_build | sed 's/^\([^-]*\)-\([^-]*\)-\(.*\)$/\2/'` >-build_os=`echo $ac_cv_build | sed 's/^\([^-]*\)-\([^-]*\)-\(.*\)$/\3/'` >- >- >-echo "$as_me:$LINENO: checking host system type" >&5 >-echo $ECHO_N "checking host system type... $ECHO_C" >&6 >-if test "${ac_cv_host+set}" = set; then >- echo $ECHO_N "(cached) $ECHO_C" >&6 >-else >- ac_cv_host_alias=$host_alias >-test -z "$ac_cv_host_alias" && >- ac_cv_host_alias=$ac_cv_build_alias >-ac_cv_host=`$ac_config_sub $ac_cv_host_alias` || >- { { echo "$as_me:$LINENO: error: $ac_config_sub $ac_cv_host_alias failed" >&5 >-echo "$as_me: error: $ac_config_sub $ac_cv_host_alias failed" >&2;} >- { (exit 1); exit 1; }; } >- >-fi >-echo "$as_me:$LINENO: result: $ac_cv_host" >&5 >-echo "${ECHO_T}$ac_cv_host" >&6 >-host=$ac_cv_host >-host_cpu=`echo $ac_cv_host | sed 's/^\([^-]*\)-\([^-]*\)-\(.*\)$/\1/'` >-host_vendor=`echo $ac_cv_host | sed 's/^\([^-]*\)-\([^-]*\)-\(.*\)$/\2/'` >-host_os=`echo $ac_cv_host | sed 's/^\([^-]*\)-\([^-]*\)-\(.*\)$/\3/'` >- >- >-MYHOST=$host_os >-case "$host_os" in >-*linux*) >- cat >>confdefs.h <<\_ACEOF >-#define LINUX 1 >-_ACEOF >- >- ;; >-*bsd*) >- cat >>confdefs.h <<\_ACEOF >-#define BSD 1 >-_ACEOF >- >- ;; >-esac >- > PACKAGE=pam_skey >-VERSION=1.1 >+VERSION=1.4r1 > > > >@@ -1976,7 +1902,8 @@ > cat conftest.err >&5 > echo "$as_me:$LINENO: \$? = $ac_status" >&5 > (exit $ac_status); } && >- { ac_try='test -z "$ac_c_werror_flag" || test ! -s conftest.err' >+ { ac_try='test -z "$ac_c_werror_flag" >+ || test ! -s conftest.err' > { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 > (eval $ac_try) 2>&5 > ac_status=$? >@@ -2034,7 +1961,8 @@ > cat conftest.err >&5 > echo "$as_me:$LINENO: \$? = $ac_status" >&5 > (exit $ac_status); } && >- { ac_try='test -z "$ac_c_werror_flag" || test ! -s conftest.err' >+ { ac_try='test -z "$ac_c_werror_flag" >+ || test ! -s conftest.err' > { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 > (eval $ac_try) 2>&5 > ac_status=$? >@@ -2150,7 +2078,8 @@ > cat conftest.err >&5 > echo "$as_me:$LINENO: \$? = $ac_status" >&5 > (exit $ac_status); } && >- { ac_try='test -z "$ac_c_werror_flag" || test ! -s conftest.err' >+ { ac_try='test -z "$ac_c_werror_flag" >+ || test ! -s conftest.err' > { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 > (eval $ac_try) 2>&5 > ac_status=$? >@@ -2204,7 +2133,8 @@ > cat conftest.err >&5 > echo "$as_me:$LINENO: \$? = $ac_status" >&5 > (exit $ac_status); } && >- { ac_try='test -z "$ac_c_werror_flag" || test ! -s conftest.err' >+ { ac_try='test -z "$ac_c_werror_flag" >+ || test ! -s conftest.err' > { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 > (eval $ac_try) 2>&5 > ac_status=$? >@@ -2249,7 +2179,8 @@ > cat conftest.err >&5 > echo "$as_me:$LINENO: \$? = $ac_status" >&5 > (exit $ac_status); } && >- { ac_try='test -z "$ac_c_werror_flag" || test ! -s conftest.err' >+ { ac_try='test -z "$ac_c_werror_flag" >+ || test ! -s conftest.err' > { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 > (eval $ac_try) 2>&5 > ac_status=$? >@@ -2293,7 +2224,8 @@ > cat conftest.err >&5 > echo "$as_me:$LINENO: \$? = $ac_status" >&5 > (exit $ac_status); } && >- { ac_try='test -z "$ac_c_werror_flag" || test ! -s conftest.err' >+ { ac_try='test -z "$ac_c_werror_flag" >+ || test ! -s conftest.err' > { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 > (eval $ac_try) 2>&5 > ac_status=$? >@@ -2881,7 +2813,8 @@ > cat conftest.err >&5 > echo "$as_me:$LINENO: \$? = $ac_status" >&5 > (exit $ac_status); } && >- { ac_try='test -z "$ac_c_werror_flag" || test ! -s conftest.err' >+ { ac_try='test -z "$ac_c_werror_flag" >+ || test ! -s conftest.err' > { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 > (eval $ac_try) 2>&5 > ac_status=$? >@@ -3051,7 +2984,8 @@ > cat conftest.err >&5 > echo "$as_me:$LINENO: \$? = $ac_status" >&5 > (exit $ac_status); } && >- { ac_try='test -z "$ac_c_werror_flag" || test ! -s conftest.err' >+ { ac_try='test -z "$ac_c_werror_flag" >+ || test ! -s conftest.err' > { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 > (eval $ac_try) 2>&5 > ac_status=$? >@@ -3124,7 +3058,8 @@ > cat conftest.err >&5 > echo "$as_me:$LINENO: \$? = $ac_status" >&5 > (exit $ac_status); } && >- { ac_try='test -z "$ac_c_werror_flag" || test ! -s conftest.err' >+ { ac_try='test -z "$ac_c_werror_flag" >+ || test ! -s conftest.err' > { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 > (eval $ac_try) 2>&5 > ac_status=$? >@@ -3278,7 +3213,8 @@ > cat conftest.err >&5 > echo "$as_me:$LINENO: \$? = $ac_status" >&5 > (exit $ac_status); } && >- { ac_try='test -z "$ac_c_werror_flag" || test ! -s conftest.err' >+ { ac_try='test -z "$ac_c_werror_flag" >+ || test ! -s conftest.err' > { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 > (eval $ac_try) 2>&5 > ac_status=$? >@@ -3431,7 +3367,8 @@ > cat conftest.err >&5 > echo "$as_me:$LINENO: \$? = $ac_status" >&5 > (exit $ac_status); } && >- { ac_try='test -z "$ac_c_werror_flag" || test ! -s conftest.err' >+ { ac_try='test -z "$ac_c_werror_flag" >+ || test ! -s conftest.err' > { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 > (eval $ac_try) 2>&5 > ac_status=$? >@@ -3533,7 +3470,8 @@ > cat conftest.err >&5 > echo "$as_me:$LINENO: \$? = $ac_status" >&5 > (exit $ac_status); } && >- { ac_try='test -z "$ac_c_werror_flag" || test ! -s conftest.err' >+ { ac_try='test -z "$ac_c_werror_flag" >+ || test ! -s conftest.err' > { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 > (eval $ac_try) 2>&5 > ac_status=$? >@@ -3583,7 +3521,6 @@ > CFLAGS="${CFLAGS} -I${withval}" > fi; > >- > echo "$as_me:$LINENO: checking for socket in -lsocket" >&5 > echo $ECHO_N "checking for socket in -lsocket... $ECHO_C" >&6 > if test "${ac_cv_lib_socket_socket+set}" = set; then >@@ -3622,7 +3559,8 @@ > cat conftest.err >&5 > echo "$as_me:$LINENO: \$? = $ac_status" >&5 > (exit $ac_status); } && >- { ac_try='test -z "$ac_c_werror_flag" || test ! -s conftest.err' >+ { ac_try='test -z "$ac_c_werror_flag" >+ || test ! -s conftest.err' > { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 > (eval $ac_try) 2>&5 > ac_status=$? >@@ -3648,15 +3586,9 @@ > echo "$as_me:$LINENO: result: $ac_cv_lib_socket_socket" >&5 > echo "${ECHO_T}$ac_cv_lib_socket_socket" >&6 > if test $ac_cv_lib_socket_socket = yes; then >- cat >>confdefs.h <<_ACEOF >-#define HAVE_LIBSOCKET 1 >-_ACEOF >- >- LIBS="-lsocket $LIBS" >- >+ LIBS="${LIBS} -lsocket" > fi > >- > echo "$as_me:$LINENO: checking for gethostbyname in -lnsl" >&5 > echo $ECHO_N "checking for gethostbyname in -lnsl... $ECHO_C" >&6 > if test "${ac_cv_lib_nsl_gethostbyname+set}" = set; then >@@ -3695,7 +3627,8 @@ > cat conftest.err >&5 > echo "$as_me:$LINENO: \$? = $ac_status" >&5 > (exit $ac_status); } && >- { ac_try='test -z "$ac_c_werror_flag" || test ! -s conftest.err' >+ { ac_try='test -z "$ac_c_werror_flag" >+ || test ! -s conftest.err' > { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 > (eval $ac_try) 2>&5 > ac_status=$? >@@ -3721,12 +3654,7 @@ > echo "$as_me:$LINENO: result: $ac_cv_lib_nsl_gethostbyname" >&5 > echo "${ECHO_T}$ac_cv_lib_nsl_gethostbyname" >&6 > if test $ac_cv_lib_nsl_gethostbyname = yes; then >- cat >>confdefs.h <<_ACEOF >-#define HAVE_LIBNSL 1 >-_ACEOF >- >- LIBS="-lnsl $LIBS" >- >+ LIBS="${LIBS} -lnsl" > fi > > echo "$as_me:$LINENO: checking for skeyverify in -lskey" >&5 >@@ -3767,7 +3695,8 @@ > cat conftest.err >&5 > echo "$as_me:$LINENO: \$? = $ac_status" >&5 > (exit $ac_status); } && >- { ac_try='test -z "$ac_c_werror_flag" || test ! -s conftest.err' >+ { ac_try='test -z "$ac_c_werror_flag" >+ || test ! -s conftest.err' > { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 > (eval $ac_try) 2>&5 > ac_status=$? >@@ -3800,218 +3729,6 @@ > { (exit 1); exit 1; }; } > fi > >-echo "$as_me:$LINENO: checking for skeyaccess in -lskey" >&5 >-echo $ECHO_N "checking for skeyaccess in -lskey... $ECHO_C" >&6 >-if test "${ac_cv_lib_skey_skeyaccess+set}" = set; then >- echo $ECHO_N "(cached) $ECHO_C" >&6 >-else >- ac_check_lib_save_LIBS=$LIBS >-LIBS="-lskey $LIBS" >-cat >conftest.$ac_ext <<_ACEOF >-/* confdefs.h. */ >-_ACEOF >-cat confdefs.h >>conftest.$ac_ext >-cat >>conftest.$ac_ext <<_ACEOF >-/* end confdefs.h. */ >- >-/* Override any gcc2 internal prototype to avoid an error. */ >-#ifdef __cplusplus >-extern "C" >-#endif >-/* We use char because int might match the return type of a gcc2 >- builtin and then its argument prototype would still apply. */ >-char skeyaccess (); >-int >-main () >-{ >-skeyaccess (); >- ; >- return 0; >-} >-_ACEOF >-rm -f conftest.$ac_objext conftest$ac_exeext >-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5 >- (eval $ac_link) 2>conftest.er1 >- ac_status=$? >- grep -v '^ *+' conftest.er1 >conftest.err >- rm -f conftest.er1 >- cat conftest.err >&5 >- echo "$as_me:$LINENO: \$? = $ac_status" >&5 >- (exit $ac_status); } && >- { ac_try='test -z "$ac_c_werror_flag" || test ! -s conftest.err' >- { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 >- (eval $ac_try) 2>&5 >- ac_status=$? >- echo "$as_me:$LINENO: \$? = $ac_status" >&5 >- (exit $ac_status); }; } && >- { ac_try='test -s conftest$ac_exeext' >- { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 >- (eval $ac_try) 2>&5 >- ac_status=$? >- echo "$as_me:$LINENO: \$? = $ac_status" >&5 >- (exit $ac_status); }; }; then >- ac_cv_lib_skey_skeyaccess=yes >-else >- echo "$as_me: failed program was:" >&5 >-sed 's/^/| /' conftest.$ac_ext >&5 >- >-ac_cv_lib_skey_skeyaccess=no >-fi >-rm -f conftest.err conftest.$ac_objext \ >- conftest$ac_exeext conftest.$ac_ext >-LIBS=$ac_check_lib_save_LIBS >-fi >-echo "$as_me:$LINENO: result: $ac_cv_lib_skey_skeyaccess" >&5 >-echo "${ECHO_T}$ac_cv_lib_skey_skeyaccess" >&6 >-if test $ac_cv_lib_skey_skeyaccess = yes; then >- cat >>confdefs.h <<\_ACEOF >-#define HAVE_SKEYACCESS 1 >-_ACEOF >- >-fi >- >-echo "$as_me:$LINENO: checking for skeyinfo in -lskey" >&5 >-echo $ECHO_N "checking for skeyinfo in -lskey... $ECHO_C" >&6 >-if test "${ac_cv_lib_skey_skeyinfo+set}" = set; then >- echo $ECHO_N "(cached) $ECHO_C" >&6 >-else >- ac_check_lib_save_LIBS=$LIBS >-LIBS="-lskey $LIBS" >-cat >conftest.$ac_ext <<_ACEOF >-/* confdefs.h. */ >-_ACEOF >-cat confdefs.h >>conftest.$ac_ext >-cat >>conftest.$ac_ext <<_ACEOF >-/* end confdefs.h. */ >- >-/* Override any gcc2 internal prototype to avoid an error. */ >-#ifdef __cplusplus >-extern "C" >-#endif >-/* We use char because int might match the return type of a gcc2 >- builtin and then its argument prototype would still apply. */ >-char skeyinfo (); >-int >-main () >-{ >-skeyinfo (); >- ; >- return 0; >-} >-_ACEOF >-rm -f conftest.$ac_objext conftest$ac_exeext >-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5 >- (eval $ac_link) 2>conftest.er1 >- ac_status=$? >- grep -v '^ *+' conftest.er1 >conftest.err >- rm -f conftest.er1 >- cat conftest.err >&5 >- echo "$as_me:$LINENO: \$? = $ac_status" >&5 >- (exit $ac_status); } && >- { ac_try='test -z "$ac_c_werror_flag" || test ! -s conftest.err' >- { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 >- (eval $ac_try) 2>&5 >- ac_status=$? >- echo "$as_me:$LINENO: \$? = $ac_status" >&5 >- (exit $ac_status); }; } && >- { ac_try='test -s conftest$ac_exeext' >- { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 >- (eval $ac_try) 2>&5 >- ac_status=$? >- echo "$as_me:$LINENO: \$? = $ac_status" >&5 >- (exit $ac_status); }; }; then >- ac_cv_lib_skey_skeyinfo=yes >-else >- echo "$as_me: failed program was:" >&5 >-sed 's/^/| /' conftest.$ac_ext >&5 >- >-ac_cv_lib_skey_skeyinfo=no >-fi >-rm -f conftest.err conftest.$ac_objext \ >- conftest$ac_exeext conftest.$ac_ext >-LIBS=$ac_check_lib_save_LIBS >-fi >-echo "$as_me:$LINENO: result: $ac_cv_lib_skey_skeyinfo" >&5 >-echo "${ECHO_T}$ac_cv_lib_skey_skeyinfo" >&6 >-if test $ac_cv_lib_skey_skeyinfo = yes; then >- cat >>confdefs.h <<\_ACEOF >-#define HAVE_SKEYINFO 1 >-_ACEOF >- >-else >- echo "$as_me:$LINENO: checking for skeylookup in -lskey" >&5 >-echo $ECHO_N "checking for skeylookup in -lskey... $ECHO_C" >&6 >-if test "${ac_cv_lib_skey_skeylookup+set}" = set; then >- echo $ECHO_N "(cached) $ECHO_C" >&6 >-else >- ac_check_lib_save_LIBS=$LIBS >-LIBS="-lskey $LIBS" >-cat >conftest.$ac_ext <<_ACEOF >-/* confdefs.h. */ >-_ACEOF >-cat confdefs.h >>conftest.$ac_ext >-cat >>conftest.$ac_ext <<_ACEOF >-/* end confdefs.h. */ >- >-/* Override any gcc2 internal prototype to avoid an error. */ >-#ifdef __cplusplus >-extern "C" >-#endif >-/* We use char because int might match the return type of a gcc2 >- builtin and then its argument prototype would still apply. */ >-char skeylookup (); >-int >-main () >-{ >-skeylookup (); >- ; >- return 0; >-} >-_ACEOF >-rm -f conftest.$ac_objext conftest$ac_exeext >-if { (eval echo "$as_me:$LINENO: \"$ac_link\"") >&5 >- (eval $ac_link) 2>conftest.er1 >- ac_status=$? >- grep -v '^ *+' conftest.er1 >conftest.err >- rm -f conftest.er1 >- cat conftest.err >&5 >- echo "$as_me:$LINENO: \$? = $ac_status" >&5 >- (exit $ac_status); } && >- { ac_try='test -z "$ac_c_werror_flag" || test ! -s conftest.err' >- { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 >- (eval $ac_try) 2>&5 >- ac_status=$? >- echo "$as_me:$LINENO: \$? = $ac_status" >&5 >- (exit $ac_status); }; } && >- { ac_try='test -s conftest$ac_exeext' >- { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 >- (eval $ac_try) 2>&5 >- ac_status=$? >- echo "$as_me:$LINENO: \$? = $ac_status" >&5 >- (exit $ac_status); }; }; then >- ac_cv_lib_skey_skeylookup=yes >-else >- echo "$as_me: failed program was:" >&5 >-sed 's/^/| /' conftest.$ac_ext >&5 >- >-ac_cv_lib_skey_skeylookup=no >-fi >-rm -f conftest.err conftest.$ac_objext \ >- conftest$ac_exeext conftest.$ac_ext >-LIBS=$ac_check_lib_save_LIBS >-fi >-echo "$as_me:$LINENO: result: $ac_cv_lib_skey_skeylookup" >&5 >-echo "${ECHO_T}$ac_cv_lib_skey_skeylookup" >&6 >-if test $ac_cv_lib_skey_skeylookup = yes; then >- cat >>confdefs.h <<\_ACEOF >-#define HAVE_SKEYLOOKUP 1 >-_ACEOF >- >-fi >- >- >-fi >- > > hold_ldflags=$LDFLAGS > echo "$as_me:$LINENO: checking for the ld -shared flag" >&5 >@@ -4041,7 +3758,8 @@ > cat conftest.err >&5 > echo "$as_me:$LINENO: \$? = $ac_status" >&5 > (exit $ac_status); } && >- { ac_try='test -z "$ac_c_werror_flag" || test ! -s conftest.err' >+ { ac_try='test -z "$ac_c_werror_flag" >+ || test ! -s conftest.err' > { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 > (eval $ac_try) 2>&5 > ac_status=$? >@@ -4099,7 +3817,8 @@ > cat conftest.err >&5 > echo "$as_me:$LINENO: \$? = $ac_status" >&5 > (exit $ac_status); } && >- { ac_try='test -z "$ac_c_werror_flag" || test ! -s conftest.err' >+ { ac_try='test -z "$ac_c_werror_flag" >+ || test ! -s conftest.err' > { (eval echo "$as_me:$LINENO: \"$ac_try\"") >&5 > (eval $ac_try) 2>&5 > ac_status=$? >@@ -4747,14 +4466,6 @@ > s,@ECHO_N@,$ECHO_N,;t t > s,@ECHO_T@,$ECHO_T,;t t > s,@LIBS@,$LIBS,;t t >-s,@build@,$build,;t t >-s,@build_cpu@,$build_cpu,;t t >-s,@build_vendor@,$build_vendor,;t t >-s,@build_os@,$build_os,;t t >-s,@host@,$host,;t t >-s,@host_cpu@,$host_cpu,;t t >-s,@host_vendor@,$host_vendor,;t t >-s,@host_os@,$host_os,;t t > s,@CC@,$CC,;t t > s,@CFLAGS@,$CFLAGS,;t t > s,@LDFLAGS@,$LDFLAGS,;t t >@@ -4945,6 +4656,11 @@ > *) ac_INSTALL=$ac_top_builddir$INSTALL ;; > esac > >+ if test x"$ac_file" != x-; then >+ { echo "$as_me:$LINENO: creating $ac_file" >&5 >+echo "$as_me: creating $ac_file" >&6;} >+ rm -f "$ac_file" >+ fi > # Let's still pretend it is `configure' which instantiates (i.e., don't > # use $as_me), people would be surprised to read: > # /* config.h. Generated by config.status. */ >@@ -4983,12 +4699,6 @@ > fi;; > esac > done` || { (exit 1); exit 1; } >- >- if test x"$ac_file" != x-; then >- { echo "$as_me:$LINENO: creating $ac_file" >&5 >-echo "$as_me: creating $ac_file" >&6;} >- rm -f "$ac_file" >- fi > _ACEOF > cat >>$CONFIG_STATUS <<_ACEOF > sed "$ac_vpsub >diff -Nur pam_skey-1.1.4/defs.h.in pam_skey/defs.h.in >--- pam_skey-1.1.4/defs.h.in 2005-06-18 14:36:18.000000000 +0200 >+++ pam_skey/defs.h.in 2006-03-06 09:26:55.000000000 +0100 >@@ -1,96 +1,49 @@ >-/* defs.h.in. Generated from configure.in by autoheader. */ >-/* Define if we can include both string.h and strings.h */ >-#undef STRING_WITH_STRINGS >- >-/* Define if you have Linux */ >-#undef LINUX >- >-/* Define if you have *BSD */ >-#undef BSD >+/* defs.h.in. Generated automatically from configure.in by autoheader. */ > >-/* Define if not missing skeyaccess() */ >-#undef HAVE_SKEYACCESS >- >-/* Define if not missing skeyinfo() */ >-#undef HAVE_SKEYINFO >+/* Define if you have the ANSI C header files. */ >+#undef STDC_HEADERS > >-/* Define if you have skeylookup() instead of skeyinfo() */ >-#undef HAVE_SKEYLOOKUP >+/* Define if we can include both string.h and strings.h */ >+#undef STRING_WITH_STRINGS > >-/* Define to 1 if you have the `fprintf' function. */ >+/* Define if you have the fprintf function. */ > #undef HAVE_FPRINTF > >-/* Define to 1 if you have the <inttypes.h> header file. */ >-#undef HAVE_INTTYPES_H >+/* Define if you have the gethostbyname function. */ >+#undef HAVE_GETHOSTBYNAME > >-/* Define to 1 if you have the `nsl' library (-lnsl). */ >-#undef HAVE_LIBNSL >+/* Define if you have the snprintf function. */ >+#undef HAVE_SNPRINTF > >-/* Define to 1 if you have the `socket' library (-lsocket). */ >-#undef HAVE_LIBSOCKET >+/* Define if you have the strncmp function. */ >+#undef HAVE_STRNCMP > >-/* Define to 1 if you have the <memory.h> header file. */ >-#undef HAVE_MEMORY_H >+/* Define if you have the syslog function. */ >+#undef HAVE_SYSLOG > >-/* Define to 1 if you have the <pwd.h> header file. */ >+/* Define if you have the <pwd.h> header file. */ > #undef HAVE_PWD_H > >-/* Define to 1 if you have the <security/pam_appl.h> header file. */ >+/* Define if you have the <security/pam_appl.h> header file. */ > #undef HAVE_SECURITY_PAM_APPL_H > >-/* Define to 1 if you have the <security/pam_modules.h> header file. */ >+/* Define if you have the <security/pam_modules.h> header file. */ > #undef HAVE_SECURITY_PAM_MODULES_H > >-/* Define to 1 if you have the `snprintf' function. */ >-#undef HAVE_SNPRINTF >- >-/* Define to 1 if you have the <stdint.h> header file. */ >-#undef HAVE_STDINT_H >- >-/* Define to 1 if you have the <stdlib.h> header file. */ >+/* Define if you have the <stdlib.h> header file. */ > #undef HAVE_STDLIB_H > >-/* Define to 1 if you have the <strings.h> header file. */ >-#undef HAVE_STRINGS_H >- >-/* Define to 1 if you have the <string.h> header file. */ >+/* Define if you have the <string.h> header file. */ > #undef HAVE_STRING_H > >-/* Define to 1 if you have the `strncmp' function. */ >-#undef HAVE_STRNCMP >- >-/* Define to 1 if you have the `syslog' function. */ >-#undef HAVE_SYSLOG >- >-/* Define to 1 if you have the <syslog.h> header file. */ >-#undef HAVE_SYSLOG_H >- >-/* Define to 1 if you have the <sys/stat.h> header file. */ >-#undef HAVE_SYS_STAT_H >+/* Define if you have the <strings.h> header file. */ >+#undef HAVE_STRINGS_H > >-/* Define to 1 if you have the <sys/syslog.h> header file. */ >+/* Define if you have the <sys/syslog.h> header file. */ > #undef HAVE_SYS_SYSLOG_H > >-/* Define to 1 if you have the <sys/types.h> header file. */ >+/* Define if you have the <sys/types.h> header file. */ > #undef HAVE_SYS_TYPES_H > >-/* Define to 1 if you have the <unistd.h> header file. */ >-#undef HAVE_UNISTD_H >- >-/* Define to the address where bug reports for this package should be sent. */ >-#undef PACKAGE_BUGREPORT >- >-/* Define to the full name of this package. */ >-#undef PACKAGE_NAME >- >-/* Define to the full name and version of this package. */ >-#undef PACKAGE_STRING >- >-/* Define to the one symbol short name of this package. */ >-#undef PACKAGE_TARNAME >- >-/* Define to the version of this package. */ >-#undef PACKAGE_VERSION >- >-/* Define to 1 if you have the ANSI C header files. */ >-#undef STDC_HEADERS >+/* Define if you have the <syslog.h> header file. */ >+#undef HAVE_SYSLOG_H >diff -Nur pam_skey-1.1.4/pam_skey.c pam_skey/pam_skey.c >--- pam_skey-1.1.4/pam_skey.c 2005-06-18 14:36:18.000000000 +0200 >+++ pam_skey/pam_skey.c 2006-03-06 09:26:55.000000000 +0100 >@@ -1,5 +1,6 @@ > /* >- * (c) 2001 Dinko Korunic, kreator@srce.hr >+ * Rewrite (c) 2005 Dani Church, dani.church@gmail.com >+ * Original (c) 2001 Dinko Korunic, kreator@srce.hr > * > * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED > * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF >@@ -33,272 +34,146 @@ > #include <pwd.h> > #include <sys/types.h> > #include <syslog.h> >+#include <ctype.h> > > #define PAM_EXTERN extern > #undef PAM_STATIC > > #include <security/pam_appl.h> > #include <security/pam_modules.h> >+#include <security/_pam_macros.h> > > #include "skey.h" > #include "pam_skey.h" > #include "misc.h" > >+#define LOGDEBUG(x) if (mod_opt & _MOD_DEBUG) { syslog x ;} >+#define QUERY_USERNAME NULL /* Use default username prompt */ >+#define QUERY_PASSWORD "Password: " >+#define QUERY_RESPONSE_OR_PASSWORD "S/Key response or system password: " >+#define QUERY_RESPONSE "S/Key response: " >+ > PAM_EXTERN int pam_sm_setcred (pam_handle_t *pamh, int flags, > int argc, const char **argv) > { > return PAM_SUCCESS; > } > >+/* >+ * The authentication module will return the following status codes: >+ * PAM_SUCCESS: Successful authentication via S/Key. >+ * PAM_IGNORE: The user doesn't have S/Key or doesn't want to use it. >+ * Continue with the next module, using try_first_pass. >+ * PAM_AUTH_ERR: The user asked to use S/Key, but failed the authentication. >+ * Don't try any more PAM modules. >+ * others: random errors, try next authentication method >+ */ >+ > PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, > int argc, const char **argv) > { >- char challenge[CHALLENGE_MAXSIZE]; /* challenge to print in conv */ >- char msg_text[PAM_MAX_MSG_SIZE]; /* text for pam conv */ >- char *username = NULL; /* username spacer */ >+ const char *challenge; /* challenge to print in conv */ >+ const char *username = NULL; /* username spacer */ > char *response = NULL; /* response spacer */ >- struct skey skey; /* structure that contains skey information */ > int status; /* return status spacer */ >- unsigned mod_opt = _MOD_NONE_ON; /* module options */ >+ unsigned mod_opt=_MOD_NONE_ON; /* module options */ > > /* Get module options */ > mod_getopt(&mod_opt, argc, argv); > >- /* Get username */ >-#if defined LINUX || defined BSD >- if (pam_get_user(pamh, (const char **)&username, "login:") >-#else >- if (pam_get_user(pamh, (char **)&username, "login:") >-#endif >- != PAM_SUCCESS) >- { >- fprintf(stderr, "cannot determine username\n"); >- if (mod_opt & _MOD_DEBUG) >- syslog(LOG_DEBUG, "cannot determine username"); >- return PAM_USER_UNKNOWN; >- } >- >- if (mod_opt & _MOD_DEBUG) >- syslog(LOG_DEBUG, "got username %s", username); >- >-#ifdef HAVE_SKEYACCESS >- /* Check S/Key access permissions - user, host and port. Also include >- * sanity checks */ >- if (mod_opt & _MOD_ACCESS_CHECK) >- { >- char *host; /* points to host */ >- char *port; /* points to port */ >- struct passwd *pwuser; /* structure for getpw() */ >- >- /* Get host.. */ >-#if defined LINUX || defined BSD >- if (pam_get_item(pamh, PAM_RHOST, (const void **)&host) >-#else >- if (pam_get_item(pamh, PAM_RHOST, (void **)&host) >-#endif >- != PAM_SUCCESS) >- host = NULL; /* couldn't get host */ >- /* ..and port */ >-#if defined LINUX || defined BSD >- if (pam_get_item(pamh, PAM_TTY, (const void **)&port) >-#else >- if (pam_get_item(pamh, PAM_TTY, (void **)&port) >-#endif >- != PAM_SUCCESS) >- port = NULL; /* couldn't get port */ >- >- if (mod_opt & _MOD_DEBUG) >- syslog(LOG_DEBUG, "checking s/key access for user %s," >- " host %s, port %s", username, >- (host != NULL) ? host : "*unknown*", >- (port != NULL) ? port : "*unknown*"); >- >- /* Get information from passwd file */ >- if ((pwuser = getpwnam(username)) == NULL) >- { >- fprintf(stderr, "no such user\n"); >- syslog(LOG_NOTICE, "cannot find user %s", username); >- return PAM_USER_UNKNOWN; /* perhaps even return PAM_ABORT here? */ >+ /* Get username (taken mainly from pam_unix) */ >+ status = pam_get_user(pamh, &username, QUERY_USERNAME); >+ if (status == PAM_SUCCESS) { >+ if (username == NULL || !isalnum(*username)) { >+ syslog(LOG_ERR, "bad username [%s]", username); >+ return PAM_USER_UNKNOWN; > } >+ LOGDEBUG((LOG_DEBUG, "username [%s] obtained", username)); >+ } else { >+ LOGDEBUG((LOG_DEBUG, "trouble reading username")); >+ if (status == PAM_CONV_AGAIN) >+ return PAM_INCOMPLETE; >+ return status; >+ } > >- /* Do actual checking - we assume skeyaccess() returns PERMIT which is >- * by default 1. Notice 4th argument is NULL - we will not perform >- * address checks on host itself */ >- if (skeyaccess(pwuser, port, host, NULL) != 1) >- { >- fprintf(stderr, "no s/key access permissions\n"); >- syslog(LOG_NOTICE, "no s/key access permissions for %s", >- username); >- return PAM_AUTH_ERR; >- } >+ /* Check whether or not this user has an S/Key */ >+ if (skey_haskey(username) != 0) { >+ LOGDEBUG((LOG_DEBUG, "user [%s] has no S/Key entry", username)); >+ return PAM_IGNORE; > } >- else > >-#endif /* HAVE_SKEYACCESS */ >- >- /* Only do check whether user has passwd entry */ >- if (getpwnam(username) == NULL) >- { >- fprintf(stderr, "no such user\n"); >- if (mod_opt & _MOD_DEBUG) >- syslog(LOG_DEBUG, "cannot find user %s", >- username); >- return PAM_USER_UNKNOWN; >+ if ((mod_opt & _MOD_TRY_FIRST_PASS) || (mod_opt & _MOD_USE_FIRST_PASS)) { >+ status = pam_get_item(pamh, PAM_AUTHTOK, (const void **) &response); >+ if (status != PAM_SUCCESS) { >+ syslog(LOG_ALERT, "pam_get_item returned error to pam_skey"); >+ return status; >+ } else if (response != NULL) { >+ if (skey_passcheck(username, response) != -1) { >+ return PAM_SUCCESS; >+ } else if (mod_opt & _MOD_USE_FIRST_PASS) { >+ return PAM_IGNORE; >+ } >+ } else if (mod_opt & _MOD_USE_FIRST_PASS) { >+ return PAM_AUTHTOK_RECOVER_ERR; > } >- >- /* Get S/Key information on user with skeyinfo() */ >-#ifdef HAVE_SKEYINFO >- switch (skeyinfo(&skey, username, NULL)) >-#else >-#ifdef HAVE_SKEYLOOKUP >- switch (skeylookup(&skey, username)) >-#endif /* HAVE_SKEYLOOKUP */ >-#endif /* HAVE_SKEYINFO */ >- { >- /* 0: OK */ >- case 0: >- break; >- /* -1: File error */ >- case -1: >-#if 0 >- /* XXX- This seems broken in (at least) logdaemon-5.8. It returns -1 >- * when user not found in keyfile. -kre */ >- fprintf(stderr, "s/key database error\n"); >- syslog(LOG_NOTICE, "s/key database error"); >- return PAM_AUTH_ERR; >-#endif >- /* 1: No such user in database */ >- case 1: >- /* We won't confuse the ordinary user telling him about missing skeys >- * -kre */ >-#if 0 >- fprintf(stderr, "no s/key for %s\n", username); >-#endif >- if (mod_opt & _MOD_DEBUG) >- syslog(LOG_DEBUG, "no s/key for %s\n", username); >- return PAM_AUTH_ERR; > } >- >- /* Make challenge string */ >-#if defined(SKEY_MAX_HASHNAME_LEN) && defined(SKEY_MAX_SEED_LEN) >- snprintf(challenge, CHALLENGE_MAXSIZE, "otp-%.*s %d %.*s", >- SKEY_MAX_HASHNAME_LEN, skey_get_algorithm(), skey.n - 1, SKEY_MAX_SEED_LEN, skey.seed); >-#else >- snprintf(challenge, CHALLENGE_MAXSIZE, "s/key %d %s", >- skey.n - 1, skey.seed); >-#endif >- >- if (mod_opt & _MOD_DEBUG) >- syslog(LOG_DEBUG, "got challenge %s for %s", challenge, >- username); >- >- /* Read response from last module's PAM_AUTHTOK */ >- if (mod_opt & _MOD_USE_FIRST_PASS) >- { >- /* Try to extract authtoken */ >-#if defined LINUX || defined BSD >- if (pam_get_item(pamh, PAM_AUTHTOK, (const void **)&response) >-#else >- if (pam_get_item(pamh, PAM_AUTHTOK, (void **)&response) >-#endif >- != PAM_SUCCESS) >- { >- if (mod_opt & _MOD_DEBUG) >- syslog(LOG_DEBUG, "could not get PAM_AUTHTOK"); >- mod_opt &= ~_MOD_USE_FIRST_PASS; >+ >+ if (mod_opt & _MOD_NO_DEFAULT_SKEY) { >+ status = mod_talk_touser(pamh, mod_opt, NULL, QUERY_PASSWORD, 0, &response); >+ if (status != PAM_SUCCESS) { >+ _pam_delete(response) >+ return status; > } >- else >- { >- /* Got AUTHTOK, but it was empty */ >- if (empty_authtok(response)) >- { >- if (mod_opt & _MOD_DEBUG) >- syslog(LOG_DEBUG, "empty PAM_AUTHTOK"); >- mod_opt &= ~_MOD_USE_FIRST_PASS; >- } >- else >- /* All OK, print challenge information */ >- fprintf(stderr, "challenge %s\n", challenge); >+ if (strcasecmp(response,"s/key")!=0) { >+ status = pam_set_item(pamh, PAM_AUTHTOK, response); >+ if (status != PAM_SUCCESS) >+ return status; >+ return PAM_IGNORE; > } >+ _pam_delete(response); > } > >- /* There was no PAM_AUTHTOK, or there was no such option in pam-conf >- * file */ >- if (!(mod_opt & _MOD_USE_FIRST_PASS)) >- { >- /* Prepare a complete message for conversation */ >- snprintf(msg_text, PAM_MAX_MSG_SIZE, >- "challenge %s\npassword: ", challenge); >- >- /* Talk with user */ >- if (mod_talk_touser(pamh, &mod_opt, msg_text, &response) >- != PAM_SUCCESS) >- return PAM_SERVICE_ERR; >- >- /* Simulate standard S/Key login procedure - if empty token, turn on >- * ECHO and prompt again */ >- if (empty_authtok(response) && !(mod_opt & _MOD_ONLY_ONE_TRY)) >- { >- /* Was there echo off? */ >- if (mod_opt & _MOD_ECHO_OFF) >- { >- _pam_delete(response); >- fprintf(stderr, "(turning echo on)\n"); >- mod_opt &= ~_MOD_ECHO_OFF; >- >- /* Prepare a complete message for conversation */ >- snprintf(msg_text, PAM_MAX_MSG_SIZE, "password: "); >- >- /* Talk with user */ >- if (mod_talk_touser(pamh, &mod_opt, msg_text, &response) >- != PAM_SUCCESS) >- return PAM_SERVICE_ERR; >- >- /* Got again empty response. Bailout and don't save auth token */ >- if (empty_authtok(response)) >- return PAM_AUTH_ERR; >- } >- else >- /* There was echo on already - just get out and don't save auth token >- * for other modules */ >- return PAM_AUTH_ERR; >- } >+ challenge = skey_keyinfo(username); >+ if (challenge == NULL) { >+ syslog(LOG_ALERT, "Could not retrieve S/Key challenge for [%s]", username); >+ return PAM_AUTHINFO_UNAVAIL; >+ } > >- /* XXX - ECHO ON puts '\n' at the end in Solaris 2.7! This is >- * cludge to get rid of this nasty `feature' -kre */ >- _pam_degarbage(response); >- >- /* Store auth token - that next module can use with `use_first_pass' */ >- if (pam_set_item(pamh, PAM_AUTHTOK, response) != PAM_SUCCESS) >- { >- syslog(LOG_NOTICE, "unable to save auth token"); >- return PAM_SERVICE_ERR; >- } >+ if (mod_opt & _MOD_NO_DEFAULT_SKEY) >+ status = mod_talk_touser(pamh, mod_opt, challenge, QUERY_RESPONSE, 0, &response); >+ else >+ status = mod_talk_touser(pamh, mod_opt, challenge, QUERY_RESPONSE_OR_PASSWORD, 0, &response); > >- /* cleanup conversation */ >+ if (status != PAM_SUCCESS) >+ return status; >+ >+ if (*response == '\0') { > _pam_delete(response); >- } >- >- /* Verify S/Key */ >- status = skeyverify(&skey, response); >+ status = mod_talk_touser(pamh, mod_opt, NULL, QUERY_RESPONSE, 1, &response); >+ if (status != PAM_SUCCESS) >+ return status; >+ status = pam_set_item(pamh, PAM_AUTHTOK, response); >+ status = skey_passcheck(username, response); >+ _pam_delete(response); >+ if (status != -1) >+ return PAM_SUCCESS; >+ return PAM_AUTH_ERR; >+ } > >- switch (status) >- { >- /* 0: Verify successful, database updated */ >- case 0: >- break; >- /* -1: Error of some sort; database unchanged */ >- /* 1: Verify failed, database unchanged */ >- case -1: >- case 1: >- if (mod_opt & _MOD_DEBUG) >- syslog(LOG_DEBUG, "verify for %s failed, database" >- " unchanged", username); >- return PAM_AUTH_ERR; >+ status = pam_set_item(pamh, PAM_AUTHTOK, response); >+ status = skey_passcheck(username, response); >+ if (status != -1) { >+ _pam_delete(response); >+ return PAM_SUCCESS; >+ } >+ >+ if (mod_opt & _MOD_NO_DEFAULT_SKEY) { >+ _pam_delete(response); >+ return PAM_AUTH_ERR; > } > >- /* Success by default */ >- return PAM_SUCCESS; >+ status = pam_set_item(pamh, PAM_AUTHTOK, response); >+ return PAM_IGNORE; > } > > /* Get module optional parameters */ >@@ -332,50 +207,43 @@ > } > > /* This will talk to user through PAM_CONV */ >-static int mod_talk_touser(pam_handle_t *pamh, unsigned *mod_opt, >- char *msg_text, char **response) >+static int mod_talk_touser(pam_handle_t *pamh, unsigned mod_opt, >+ const char *info_text, const char *prompt_text, int echo_on, char **response) > { >- struct pam_message message; >- const struct pam_message *pmessage = &message; >+ struct pam_message message[2], *pmessage[2]; > struct pam_conv *conv = NULL; > struct pam_response *presponse = NULL; >- >+ int i=0; >+ > /* Better safe than sorry */ > *response = NULL; > > /* Be paranoid */ > memset(&message, 0, sizeof(message)); > >- /* Turn on/off PAM echo */ >- if (*mod_opt & _MOD_ECHO_OFF) >- message.msg_style = PAM_PROMPT_ECHO_OFF; >- else >- message.msg_style = PAM_PROMPT_ECHO_ON; >+ pmessage[0] = &message[0]; >+ pmessage[1] = &message[1]; >+ >+ /* Set info text, if any */ >+ if (info_text) { >+ message[i].msg = info_text; >+ message[i].msg_style = PAM_TEXT_INFO; >+ i++; >+ } > >- /* Point to conversation text */ >- message.msg = msg_text; >+ /* Set prompt text */ >+ message[i].msg = prompt_text; >+ message[i].msg_style = echo_on ? PAM_PROMPT_ECHO_ON : PAM_PROMPT_ECHO_OFF; >+ i++; > > /* Do conversation and see if all is OK */ >-#if defined LINUX || defined BSD >- if (pam_get_item(pamh, PAM_CONV, (const void **)&conv) >-#else >- if (pam_get_item(pamh, PAM_CONV, (void **)&conv) >-#endif >- != PAM_SUCCESS) >- { >- if (*mod_opt & _MOD_DEBUG) >- syslog(LOG_DEBUG, "error in conversation"); >+ if (pam_get_item(pamh, PAM_CONV, (const void **)&conv) != PAM_SUCCESS) { >+ LOGDEBUG((LOG_DEBUG, "error in conversation")); > return PAM_SERVICE_ERR; > } >- >- /* Convert into pam_response - only 1 reply expected */ >-#if defined LINUX || defined BSD >- if (conv->conv(1, &pmessage, &presponse, >+ /* Convert into pam_response */ >+ if (conv->conv(i, (const struct pam_message **)pmessage, &presponse, > conv->appdata_ptr) >-#else >- if (conv->conv(1, (struct pam_message **)&pmessage, &presponse, >- conv->appdata_ptr) >-#endif > != PAM_SUCCESS) > { > _pam_delete(presponse->resp); >@@ -385,10 +253,10 @@ > if (presponse != NULL) > { > /* Save address */ >- *response = presponse->resp; >+ *response = presponse[i-1].resp; > /* To ensure that response address will not be erased */ >- presponse->resp = NULL; >- _pam_drop(presponse); >+ presponse[i-1].resp = NULL; >+ _pam_drop_reply(presponse,i); > } > else > return PAM_SERVICE_ERR; >diff -Nur pam_skey-1.1.4/pam_skey.h pam_skey/pam_skey.h >--- pam_skey-1.1.4/pam_skey.h 2005-06-18 14:36:18.000000000 +0200 >+++ pam_skey/pam_skey.h 2006-03-06 09:26:55.000000000 +0100 >@@ -22,29 +22,25 @@ > */ > > /* Prototypes */ >-#ifndef BSD >-extern int skeyinfo(struct skey *, char *, char *); /* ORGH! Not in skey.h */ >-#endif >- > static void mod_getopt(unsigned *, int, const char **); >-static int mod_talk_touser(pam_handle_t *, unsigned *, char *, char **); >+static int mod_talk_touser(pam_handle_t *, unsigned, const char *, const char *, int, char **); > > /* free() macro */ >-#define _pam_drop(X) \ >+/*#define _pam_drop(X) \ > if (X != NULL) \ > { \ > free(X); \ > X = NULL; \ >-} >+}*/ > > /* Secure overwrite */ >-#define _pam_overwrite(x) \ >+/*#define _pam_overwrite(x) \ > { \ > register char *__xx__; \ > if ((__xx__ = (x))) \ > while (*__xx__) \ > *__xx__++ = '\0'; \ >-} >+}*/ > > /* Drop-in secure replacement - we do not want cleartext passwords lying > * scattered around */ >@@ -56,7 +52,7 @@ > > /* This will get us rid of first '\n' in response string and cut-off the > * rest of the string. It should be ASCIIZ, of course */ >-#define _pam_degarbage(x) \ >+/*#define _pam_degarbage(x) \ > { \ > register char *__xx__; \ > if ((__xx__ = (x))) \ >@@ -70,30 +66,25 @@ > else \ > __xx__++; \ > } \ >-} >+}*/ > > /* Handy empty AUTHTOK macro */ > #define empty_authtok(a) (a == NULL || !*a || *a == '\n') > >-/* Maximum challenge size. It should be 64, but be sure */ >-#define CHALLENGE_MAXSIZE 128 >- > /* Define module flags */ >-#define _MOD_NONE_ON 0x0000 /* Generic flag */ >-#define _MOD_ALL_ON (~_MOD_NONE_ON) /* Generic mask */ >-#define _MOD_DEBUG 0x0001 /* Debugging options on */ >-#define _MOD_ECHO_OFF 0x0002 /* PAM_ECHO_OFF */ >-#define _MOD_ACCESS_CHECK 0x0004 /* Check S/Key access permissions */ >-#define _MOD_USE_FIRST_PASS 0x0008 /* Use PAM_AUTHTOK */ >-#define _MOD_ONLY_ONE_TRY 0x0010 /* Only one try, no matter of echo */ >-#define _MOD_SPACER 0x0020 /* Currently unused */ >+#define _MOD_NONE_ON 0x0000 /* Generic flag */ >+#define _MOD_ALL_ON (~_MOD_NONE_ON) /* Generic mask */ >+#define _MOD_DEBUG 0x0001 /* Debugging options on */ >+#define _MOD_TRY_FIRST_PASS 0x0002 /* Attempt using PAM_AUTHTOK */ >+#define _MOD_USE_FIRST_PASS 0x0004 /* Only use PAM_AUTHTOK */ >+#define _MOD_NO_DEFAULT_SKEY 0x0008 /* Don't use S/Key by default */ > > /* Setup defaults - use echo off only */ >-#define _MOD_DEFAULT_FLAG _MOD_ECHO_OFF >+#define _MOD_DEFAULT_FLAG _MOD_NONE_ON > #define _MOD_DEFAULT_MASK _MOD_ALL_ON > > /* Number of parameters currently known */ >-#define _MOD_ARGS 8 >+#define _MOD_ARGS 4 > > /* Structure for flexible argument parsing */ > typedef struct >@@ -108,11 +99,7 @@ > { > /* String Mask Flag */ > {"debug", _MOD_ALL_ON, _MOD_DEBUG}, >- {"echo=off", _MOD_ALL_ON, _MOD_ECHO_OFF}, >- {"echo=on", _MOD_ALL_ON^_MOD_ECHO_OFF, _MOD_NONE_ON}, >- {"access_check=on", _MOD_ALL_ON, _MOD_ACCESS_CHECK}, >- {"access_check=off", _MOD_ALL_ON^_MOD_ACCESS_CHECK, _MOD_NONE_ON}, >+ {"try_first_pass", _MOD_ALL_ON, _MOD_TRY_FIRST_PASS}, > {"use_first_pass", _MOD_ALL_ON, _MOD_USE_FIRST_PASS}, >- {"try_first_pass", _MOD_ALL_ON, _MOD_USE_FIRST_PASS}, >- {"only_one_try", _MOD_ALL_ON, _MOD_ONLY_ONE_TRY} >+ {"no_default_skey", _MOD_ALL_ON, _MOD_NO_DEFAULT_SKEY} > }; >diff -Nur pam_skey-1.1.4/pam_skey_access.c pam_skey/pam_skey_access.c >--- pam_skey-1.1.4/pam_skey_access.c 2005-06-18 14:36:18.000000000 +0200 >+++ pam_skey/pam_skey_access.c 1970-01-01 01:00:00.000000000 +0100 >@@ -1,161 +0,0 @@ >-/* >- * (c) 2001 Dinko Korunic, kreator@srce.hr >- * >- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED >- * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF >- * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. >- * >- * S/KEY is a trademark of Bellcore. >- * Mink is the former name of the S/KEY authentication system. >- * >- * Programs that had some influence in development of this source: >- * Wietse Venema's logdaemon package >- * Olaf Kirch's Linux S/Key package >- * Linux-PAM modules and templates >- * Wyman Miles' pam_securid module >- * >- * Should you choose to use and/or modify this source code, please do so >- * under the terms of the GNU General Public License under which this >- * program is distributed. >- */ >- >-static char rcsid[] = "$Id: pam_skey_access.c,v 1.2 2005/06/18 12:36:18 kreator Exp $"; >- >-#include "defs.h" >- >-#include <stdio.h> >-#include <stdlib.h> >-#include <string.h> >-#ifdef STRING_WITH_STRINGS >-# include <strings.h> >-#endif >-#include <unistd.h> >-#include <pwd.h> >-#include <sys/types.h> >-#include <syslog.h> >- >-#define PAM_EXTERN extern >-#undef PAM_STATIC >- >-#include <security/pam_appl.h> >-#include <security/pam_modules.h> >- >-#include "skey.h" >-#include "pam_skey.h" >-#include "misc.h" >- >-PAM_EXTERN int pam_sm_setcred (pam_handle_t *pamh, int flags, >- int argc, const char **argv) >-{ >- return PAM_SUCCESS; >-} >- >-PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh, int flags, >- int argc, const char **argv) >-{ >- char *username = NULL; /* will point to username */ >- unsigned mod_opt = _MOD_NONE_ON; /* module options */ >- char *host; /* will point to host */ >- char *port; /* will point to port */ >- struct passwd *pwuser; >- >- /* Get module options */ >- mod_getopt(&mod_opt, argc, argv); >- >- /* Get username */ >-#if defined LINUX || defined BSD >- if (pam_get_user(pamh, (const char **)&username, "login:")!=PAM_SUCCESS) >-#else >- if (pam_get_user(pamh, (char **)&username, "login:")!=PAM_SUCCESS) >-#endif >- { >- fprintf(stderr, "cannot determine username\n"); >- if (mod_opt & _MOD_DEBUG) >- syslog(LOG_DEBUG, "cannot determine username"); >- return PAM_AUTHINFO_UNAVAIL; >- } >- >- if (mod_opt & _MOD_DEBUG) >- syslog(LOG_DEBUG, "got username %s", username); >- >- /* Check S/Key access permissions - user, host and port. Also include >- * sanity checks */ >- /* Get host.. */ >-#if defined LINUX || defined BSD >- if (pam_get_item(pamh, PAM_RHOST, (const void **)&host) >-#else >- if (pam_get_item(pamh, PAM_RHOST, (void **)&host) >-#endif >- != PAM_SUCCESS) >- host = NULL; >- /* ..and port */ >-#ifdef LINUX >- if (pam_get_item(pamh, PAM_TTY, (const void **)&port) >-#else >- if (pam_get_item(pamh, PAM_TTY, (void **)&port) >-#endif >- != PAM_SUCCESS) >- port = NULL; >- >- if (mod_opt & _MOD_DEBUG) >- syslog(LOG_DEBUG, "checking s/key access for user %s," >- " host %s, port %s", username, >- (host != NULL) ? host : "*unknown*", >- (port != NULL) ? port : "*unknown*"); >- >- /* Get information from passwd file */ >- if ((pwuser = getpwnam(username)) == NULL) >- { >- fprintf(stderr, "no such user\n"); >- syslog(LOG_NOTICE, "cannot find user %s", >- username); >- return PAM_AUTHINFO_UNAVAIL; >- } >- >-#ifdef HAVE_SKEYACCESS >- >- /* Do actual checking - we assume skeyaccess() returns PERMIT which is >- * by default 1. Notice 4th argument is NULL - we will not perform >- * address checks on host itself */ >- if (skeyaccess(pwuser, port, host, NULL) != 1) >- { >- fprintf(stderr, "no s/key access permissions\n"); >- syslog(LOG_NOTICE, "no s/key access permissions for %s", >- username); >- return PAM_AUTH_ERR; >- } >- >-#endif /* HAVE_SKEYACCESS */ >- >- return PAM_SUCCESS; >-} >- >-/* Get module optional parameters */ >-static void mod_getopt(unsigned *mod_opt, int mod_argc, const char **mod_argv) >-{ >- int i; >- >- /* Setup runtime defaults */ >- *mod_opt |= _MOD_DEFAULT_FLAG; >- *mod_opt &= _MOD_DEFAULT_MASK; >- >- /* Setup runtime options */ >- while (mod_argc--) >- { >- for (i = 0; i < _MOD_ARGS; ++i) >- { >- if (mod_args[i].token != NULL && >- !strncmp(*mod_argv, mod_args[i].token, >- strlen(mod_args[i].token))) >- break; >- } >- if (i >= _MOD_ARGS) >- syslog(LOG_ERR, "unknown option %s", *mod_argv); >- else >- { >- *mod_opt &= mod_args[i].mask; /* Turn off */ >- *mod_opt |= mod_args[i].flag; /* Turn on */ >- } >- ++mod_argv; >- } >-}
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=81505">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 55279
:
34238
|
34321
|
52094
|
52095
|
81391
|
81392
|
81492
| 81505 |
90101
