#include <sys/file.h>
#include <pwd.h>
#include <grp.h>
-#ifdef HAVE_KERB4
-# include <krb.h>
-#endif /* HAVE_KERB4 */
-#ifdef HAVE_KERB5
-# include <krb5.h>
-#endif /* HAVE_KERB5 */
-#ifdef HAVE_PAM
-# include <security/pam_appl.h>
-#endif /* HAVE_PAM */
-#ifdef HAVE_AFS
-# include <afs/stds.h>
-# include <afs/kautils.h>
-#endif /* HAVE_AFS */
-#ifdef HAVE_SECURID
-# include <sdi_athd.h>
-# include <sdconf.h>
-# include <sdacmvls.h>
-#endif /* HAVE_SECURID */
-#ifdef HAVE_SKEY
-# include <skey.h>
-#endif /* HAVE_SKEY */
-#ifdef HAVE_OPIE
-# include <opie.h>
-#endif /* HAVE_OPIE */
-#ifdef HAVE_AUTHSRV
-# include <firewall.h>
-#endif
#ifdef HAVE_UTIME
# ifdef HAVE_UTIME_H
# include <utime.h>
#endif /* HAVE_UTIME */
#include "sudo.h"
-#include "insults.h"
#include "version.h"
#ifndef lint
* Prototypes for local functions
*/
static int check_timestamp __P((void));
-static void check_passwd __P((void));
static int touch __P((char *));
static void update_timestamp __P((void));
static void reminder __P((void));
static char *expand_prompt __P((char *, char *, char *));
-#ifdef HAVE_KERB4
-static int sudo_krb_validate_user __P((struct passwd *, char *));
-#endif /* HAVE_KERB4 */
-#ifdef HAVE_KERB5
-static int sudo_krb5_validate_user __P((struct passwd *, char *));
-static int verify_krb_v5_tgt __P((krb5_ccache));
-#endif /* HAVE_KERB5 */
-#ifdef HAVE_PAM
-static void pam_attempt_auth __P((void));
-static int pam_auth __P((char *, char *));
-static int PAM_conv __P((int,
- PAM_CONST struct pam_message **,
- struct pam_response **, void *));
-#endif /* HAVE_PAM */
-#ifdef HAVE_SKEY
-static char *sudo_skeyprompt __P((struct skey *, char *));
-#endif /* HAVE_SKEY */
-#ifdef HAVE_OPIE
-static char *sudo_opieprompt __P((struct opie *, char *));
-#endif /* HAVE_OPIE */
int user_is_exempt __P((void));
+
/*
* Globals
*/
static int timedir_is_good;
static char timestampfile[MAXPATHLEN];
-#ifdef HAVE_SECURID
-union config_record configure;
-#endif /* HAVE_SECURID */
-#ifdef HAVE_SKEY
-struct skey skey;
-#endif
-#ifdef HAVE_OPIE
-struct opie opie;
-#endif
-#ifdef HAVE_KERB5
-extern krb5_context sudo_context;
-extern char *realm;
-extern int xrealm;
-#endif /* HAVE_KERB5 */
-
/********************************************************************
}
-
/********************************************************************
*
* user_is_exempt()
}
-
/********************************************************************
*
* check_timestamp()
}
-
/********************************************************************
*
* touch()
#undef UTP
-
/********************************************************************
*
* update_timestamp()
}
-
/********************************************************************
*
* remove_timestamp()
}
-
-/********************************************************************
- *
- * check_passwd()
- *
- * This function grabs the user's password and checks with the password
- * in /etc/passwd (or uses other specified authentication method).
- */
-
-#ifdef HAVE_SECURID
-static void
-check_passwd()
-{
- struct SD_CLIENT sd_dat, *sd; /* SecurID data block */
- register int counter = TRIES_FOR_PASSWORD;
-
- (void) memset((VOID *)&sd_dat, 0, sizeof(sd_dat));
- sd = &sd_dat;
-
- /* Initialize SecurID. */
- set_perms(PERM_ROOT, 0);
- creadcfg();
- if (sd_init(sd) != 0) {
- (void) fprintf(stderr, "%s: Cannot contact SecurID server\n", Argv[0]);
- exit(1);
- }
-
- /*
- * you get TRIES_FOR_PASSWORD times to guess your password
- */
- while (counter > 0) {
- if (sd_auth(sd) == ACM_OK) {
- set_perms(PERM_USER, 0);
- return;
- }
-
- --counter; /* otherwise, try again */
- pass_warn(stderr);
- }
- set_perms(PERM_USER, 0);
-
- if (counter > 0) {
- log_error(PASSWORD_NOT_CORRECT);
- inform_user(PASSWORD_NOT_CORRECT);
- } else {
- log_error(PASSWORDS_NOT_CORRECT);
- inform_user(PASSWORDS_NOT_CORRECT);
- }
-
- exit(1);
-}
-#else /* !HAVE_SECURID */
-#ifdef HAVE_AUTHSRV
-static void
-check_passwd()
-{
- char *pass; /* this is what gets entered */
- Cfg *confp;
-
- char cbuf[128];
- char ubuf[128], buf[128];
- register int counter = TRIES_FOR_PASSWORD;
-
- if ((confp = cfg_read("sudo")) == (Cfg *)-1) {
- fprintf(stderr, "Cannot read config.\n");
- exit(1);
- }
-
- /* Initialize Auth Client */
- auth_open(confp);
-
- /* get welcome message from auth server */
- if (auth_recv(buf, sizeof(buf))) {
- sprintf(buf, "Lost connection to server");
- fprintf(stderr, "%s\n", buf);
- exit(1);
- }
-
- if (strncmp(buf, "Authsrv ready", 13)) {
- fprintf(stderr, "Auth server error %s\n", buf);
- auth_close();
- exit(1);
- }
-
- /*
- * you get TRIES_FOR_PASSWORD times to guess your password
- */
- while (counter > 0) {
-
- sprintf(cbuf,"authorize %s sudo",user_name);
-
- auth_send(cbuf);
- auth_recv(cbuf,sizeof(cbuf));
-
- if (!strncmp(cbuf, "challenge ", 10)) {
- sprintf(buf, "Challenge \"%s\": ", &cbuf[10]);
- pass = GETPASS(buf, PASSWORD_TIMEOUT * 60);
- } else if (!strncmp(cbuf, "password", 8)) {
- pass = GETPASS(buf, PASSWORD_TIMEOUT * 60);
- } else {
- fprintf(stderr, "Server sent %s\n", cbuf);
- auth_close();
- exit(1);
- }
-
- sprintf(cbuf, "response '%s'", pass);
- auth_send(cbuf);
- auth_recv(cbuf, sizeof(cbuf));
-
- if (!strncmp(cbuf, "ok", 2)) {
- /* Success */
- /*inform_user(cbuf);*/
- set_perms(PERM_USER, 0);
- auth_close();
- return;
- } else {
- fprintf(stderr, "Server returned %s\n", cbuf);
- }
- pass_warn(stderr);
- --counter; /* otherwise, try again */
- }
-
- set_perms(PERM_USER, 0);
-
- auth_close();
-
- if (counter > 0) {
- log_error(PASSWORD_NOT_CORRECT);
- inform_user(PASSWORD_NOT_CORRECT);
- } else {
- log_error(PASSWORDS_NOT_CORRECT);
- inform_user(PASSWORDS_NOT_CORRECT);
- }
- exit(1);
-}
-#else /* !HAVE_AUTHSRV */
-
-static void
-check_passwd()
-{
- char *pass; /* this is what gets entered */
- int counter = TRIES_FOR_PASSWORD;
-#if defined(HAVE_KERB4) && defined(USE_GETPASS)
- char kpass[SUDO_PASS_MAX + 1];
-#endif /* HAVE_KERB4 && USE_GETPASS */
-#ifdef HAVE_AUTHENTICATE
- char *message;
- int reenter;
-#endif /* HAVE_AUTHENTICATE */
-
-#ifdef HAVE_SKEY
- (void) memset((VOID *)&skey, 0, sizeof(skey));
-#endif /* HAVE_SKEY */
-#ifdef HAVE_OPIE
- (void) memset((VOID *)&opie, 0, sizeof(opie));
-#endif /* HAVE_OPIE */
-
- /*
- * you get TRIES_FOR_PASSWORD times to guess your password
- */
- while (counter > 0) {
-
-#ifdef HAVE_AUTHENTICATE
- /* use AIX authenticate() function */
- pass = GETPASS(prompt, PASSWORD_TIMEOUT * 60);
- reenter = 1;
- if (authenticate(user_name, pass, &reenter, &message) == 0)
- return; /* valid password */
-#else /* HAVE_AUTHENTICATE */
-# ifdef HAVE_SKEY
- /* rewrite the prompt if using s/key since the challenge can change */
- set_perms(PERM_ROOT, 0);
- prompt = sudo_skeyprompt(&skey, prompt);
- set_perms(PERM_USER, 0);
-# endif /* HAVE_SKEY */
-# ifdef HAVE_OPIE
- /* rewrite the prompt if using OPIE since the challenge can change */
- set_perms(PERM_ROOT, 0);
- prompt = sudo_opieprompt(&opie, prompt);
- set_perms(PERM_USER, 0);
-# endif /* HAVE_OPIE */
-
- /* get a password from the user */
-# if defined(HAVE_KERB4) && defined(USE_GETPASS)
- (void) des_read_pw_string(kpass, sizeof(kpass) - 1, prompt, 0);
- pass = kpass;
-# else
- pass = (char *) GETPASS(prompt, PASSWORD_TIMEOUT * 60);
-# endif /* HAVE_KERB4 */
-
-# ifdef HAVE_SKEY
- /* Only check s/key db if the user exists there */
- if (skey.keyfile) {
- set_perms(PERM_ROOT, 0);
- if (skeyverify(&skey, pass) == 0) {
- set_perms(PERM_USER, 0);
- return; /* if the key is correct return() */
- }
- set_perms(PERM_USER, 0);
- }
-# endif /* HAVE_SKEY */
-# ifdef HAVE_OPIE
- /* Only check OPIE db if the user exists there */
- if (opie.opie_flags) {
- set_perms(PERM_ROOT, 0);
- if (opieverify(&opie, pass) == 0) {
- set_perms(PERM_USER, 0);
- return; /* if the key is correct return() */
- }
- set_perms(PERM_USER, 0);
- }
-# endif /* HAVE_OPIE */
-# if !defined(OTP_ONLY) || (!defined(HAVE_SKEY) && !defined(HAVE_OPIE))
- /*
- * If we use shadow passwords with a different crypt(3)
- * check that here, else use standard crypt(3).
- */
-# ifdef HAVE_GETAUTHUID
- if (!strcmp(user_passwd, (char *) crypt16(pass, user_passwd)))
- return; /* if the passwd is correct return() */
-# endif /* HAVE_GETAUTHUID */
-
-# ifdef HAVE_GETPRPWNAM
- if (check_secureware(pass))
- return; /* if the passwd is correct return() */
-# endif /* HAVE_HAVE_GETPRPWNAM */
-
- /* Normal UN*X password check */
- if (!strcmp(user_passwd, (char *) crypt(pass, user_passwd)))
- return; /* if the passwd is correct return() */
-
-# ifdef HAVE_KERB4
- if (user_uid && sudo_krb_validate_user(user_pw_ent, pass) == 0)
- return;
-# endif /* HAVE_KERB4 */
-
-# ifdef HAVE_KERB5
- if (sudo_krb5_validate_user(user_pw_ent, pass) == 0)
- return;
-# endif /* HAVE_KERB5 */
-
-# ifdef HAVE_AFS
- if (ka_UserAuthenticateGeneral(KA_USERAUTH_VERSION,
- user_name, /* name */
- NULL, /* instance */
- NULL, /* realm */
- pass, /* password */
- 0, /* lifetime */
- 0, 0, /* spare */
- NULL) == 0) /* reason */
- return;
-# endif /* HAVE_AFS */
-# ifdef HAVE_DCE
- /*
- * consult the DCE registry for password validation
- * note that dce_pwent trashes pass upon return...
- */
- if (dce_pwent(user_name, pass))
- return;
-# endif /* HAVE_DCE */
-# endif /* !OTP_ONLY || (!HAVE_SKEY && !HAVE_OPIE) */
-#endif /* HAVE_AUTHENTICATE */
-
- /* Exit loop on nil password, but give it a chance to match first. */
- if (!pass || *pass == '\0') {
- if (counter == TRIES_FOR_PASSWORD)
- exit(1);
- else
- break;
- }
-
- --counter; /* otherwise, try again */
- pass_warn(stderr);
- }
-
- if (counter > 0) {
- log_error(PASSWORD_NOT_CORRECT);
- inform_user(PASSWORD_NOT_CORRECT);
- } else {
- log_error(PASSWORDS_NOT_CORRECT);
- inform_user(PASSWORDS_NOT_CORRECT);
- }
-
- exit(1);
-}
-#endif /* HAVE_AUTHSRV */
-#endif /* HAVE_SECURID */
-
-
-#ifdef HAVE_KERB4
-/********************************************************************
- *
- * sudo_krb_validate_user()
- *
- * Validate a user via kerberos.
- */
-static int
-sudo_krb_validate_user(pw, pass)
- struct passwd *pw;
- char *pass;
-{
- char realm[REALM_SZ];
- char tkfile[sizeof(_PATH_SUDO_TIMEDIR) + 4 + MAX_UID_T_LEN];
- int k_errno;
-
- /* Get the local realm, or retrun failure (no krb.conf) */
- if (krb_get_lrealm(realm, 1) != KSUCCESS)
- return(-1);
-
- /*
- * Set the ticket file to be in sudo sudo timedir so we don't
- * wipe out other kerberos tickets.
- */
- (void) sprintf(tkfile, "%s/tkt%ld", _PATH_SUDO_TIMEDIR,
- (long) pw->pw_uid);
- (void) krb_set_tkt_string(tkfile);
-
- /*
- * Update the ticket if password is ok. Kerb4 expects
- * the ruid and euid to be the same here so we setuid to root.
- */
- set_perms(PERM_ROOT, 0);
- k_errno = krb_get_pw_in_tkt(pw->pw_name, "", realm, "krbtgt", realm,
- DEFAULT_TKT_LIFE, pass);
-
- /*
- * If we authenticated, destroy the ticket now that we are done with it.
- * If not, warn on a "real" error.
- */
- if (k_errno == INTK_OK)
- dest_tkt();
- else if (k_errno != INTK_BADPW && k_errno != KDC_PR_UNKNOWN)
- (void) fprintf(stderr, "Warning: Kerberos error: %s\n",
- krb_err_txt[k_errno]);
-
- /* done with rootly stuff */
- set_perms(PERM_USER, 0);
-
- return(!(k_errno == INTK_OK));
-}
-#endif /* HAVE_KERB4 */
-
-
-#ifdef HAVE_KERB5
-/********************************************************************
- *
- * sudo_krb5_validate_user()
- *
- * Validate a user via Kerberos 5. We may lose a bit of memory, but it's
- * OK since we're a short lived program. I'd rather do that than contort
- * the code to handle the cleanup.
- */
-static int
-sudo_krb5_validate_user(pw, pass)
- struct passwd *pw;
- char *pass;
-{
- krb5_error_code retval;
- krb5_principal princ;
- krb5_creds creds;
- krb5_ccache ccache;
- char cache_name[64];
- char *princ_name;
- krb5_get_init_creds_opt opts;
-
- /* Initialize */
- if (!sudo_context)
- return -1;
- krb5_get_init_creds_opt_init(&opts);
-
- princ_name = emalloc(strlen(pw->pw_name) + strlen(realm) + 2);
-
- sprintf(princ_name, "%s@%s", pw->pw_name, realm);
- if (retval = krb5_parse_name(sudo_context, princ_name, &princ))
- return retval;
-
- /* Set the ticket file to be in /tmp so we don't need to change perms. */
- (void) sprintf(cache_name, "FILE:/tmp/sudocc_%ld", getpid());
- if (retval = krb5_cc_resolve(sudo_context, cache_name, &ccache))
- return retval;
-
- if (retval = krb5_get_init_creds_password(sudo_context, &creds, princ,
- pass, krb5_prompter_posix, NULL,
- 0, NULL, &opts))
- return retval;
-
- /* Stash the TGT so we can verify it. */
- if (retval = krb5_cc_initialize(sudo_context, ccache, princ))
- return retval;
- if (retval = krb5_cc_store_cred(sudo_context, ccache, &creds)) {
- (void) krb5_cc_destroy(sudo_context, ccache);
- return retval;
- }
-
- retval = verify_krb_v5_tgt(ccache);
- (void) krb5_cc_destroy(sudo_context, ccache);
- return (retval == -1);
-}
-
-
-/*
- * This routine with some modification is from the MIT V5B6 appl/bsd/login.c
- *
- * Verify the Kerberos ticket-granting ticket just retrieved for the
- * user. If the Kerberos server doesn't respond, assume the user is
- * trying to fake us out (since we DID just get a TGT from what is
- * supposedly our KDC). If the host/<host> service is unknown (i.e.,
- * the local keytab doesn't have it), let her in.
- *
- * Returns 1 for confirmation, -1 for failure, 0 for uncertainty.
- */
-static int
-verify_krb_v5_tgt(ccache)
- krb5_ccache ccache;
-{
- char phost[BUFSIZ];
- krb5_error_code retval;
- krb5_principal princ;
- krb5_keyblock * keyblock = 0;
- krb5_data packet;
- krb5_auth_context auth_context = NULL;
-
- packet.data = 0;
-
- /*
- * Get the server principal for the local host.
- * (Use defaults of "host" and canonicalized local name.)
- */
- if (krb5_sname_to_principal(sudo_context, NULL, NULL,
- KRB5_NT_SRV_HST, &princ))
- return -1;
-
- /* Extract the name directly. */
- strncpy(phost, krb5_princ_component(c, princ, 1)->data, BUFSIZ);
- phost[BUFSIZ - 1] = '\0';
-
- /*
- * Do we have host/<host> keys?
- * (use default keytab, kvno IGNORE_VNO to get the first match,
- * and enctype is currently ignored anyhow.)
- */
- if (retval = krb5_kt_read_service_key(sudo_context, NULL, princ, 0,
- ENCTYPE_DES_CBC_MD5, &keyblock)) {
- /* Keytab or service key does not exist */
- if (xrealm)
- retval = -1;
- else
- retval = 0;
- goto cleanup;
- }
- if (keyblock)
- krb5_free_keyblock(sudo_context, keyblock);
-
- /* Talk to the kdc and construct the ticket. */
- retval = krb5_mk_req(sudo_context, &auth_context, 0, "host", phost,
- NULL, ccache, &packet);
- if (auth_context) {
- krb5_auth_con_free(sudo_context, auth_context);
- auth_context = NULL; /* setup for rd_req */
- }
- if (retval) {
- retval = -1;
- goto cleanup;
- }
-
- /* Try to use the ticket. */
- retval = krb5_rd_req(sudo_context, &auth_context, &packet, princ,
- NULL, NULL, NULL);
- if (retval) {
- retval = -1;
- } else {
- retval = 1;
- }
-
-cleanup:
- if (packet.data)
- krb5_free_data_contents(sudo_context, &packet);
- krb5_free_principal(sudo_context, princ);
- return retval;
-
-}
-#endif /* HAVE_KERB5 */
-
-
-#ifdef HAVE_PAM
-/********************************************************************
- * pam_attempt_auth()
- *
- * Try to authenticate the user using Pluggable Authentication
- * Modules (PAM). Added 9/11/98 by Gary J. Calvin
- * Reworked for stock PAM by Amos Elberg and Todd Miller
- */
-static char *PAM_username;
-static char *PAM_password;
-
-static int
-PAM_conv(num_msg, msg, resp, appdata_ptr)
- int num_msg;
- PAM_CONST struct pam_message **msg;
- struct pam_response **resp;
- void *appdata_ptr;
-{
- int replies = 0;
- struct pam_response *reply = NULL;
-
- if ((reply = malloc(sizeof(struct pam_response) * num_msg)) == NULL)
- return(PAM_CONV_ERR);
-
- for (replies = 0; replies < num_msg; replies++) {
- switch (msg[replies]->msg_style) {
- case PAM_PROMPT_ECHO_ON:
- reply[replies].resp_retcode = PAM_SUCCESS;
- reply[replies].resp = estrdup(PAM_username);
- /* PAM frees resp */
- break;
- case PAM_PROMPT_ECHO_OFF:
- reply[replies].resp_retcode = PAM_SUCCESS;
- reply[replies].resp = estrdup(PAM_password);
- /* PAM frees resp */
- break;
- case PAM_TEXT_INFO:
- /* fall through */
- case PAM_ERROR_MSG:
- /* ignore it... */
- reply[replies].resp_retcode = PAM_SUCCESS;
- reply[replies].resp = NULL;
- break;
- default:
- /* Must be an error of some sort... */
- free(reply);
- return(PAM_CONV_ERR);
- }
- }
- if (reply)
- *resp = reply;
-
- return(PAM_SUCCESS);
-}
-
-static int
-pam_auth(user, password)
- char *user;
- char *password;
-{
- struct pam_conv PAM_conversation;
- pam_handle_t *pamh;
-
- /* Initialize our variables for PAM */
- PAM_conversation.conv = PAM_conv;
- PAM_conversation.appdata_ptr = NULL;
- PAM_password = password;
- PAM_username = user;
-
- /*
- * Setting PAM_SILENT stops generation of error messages to syslog
- * to enable debugging on Red Hat Linux set:
- * /etc/pam.d/sudo:
- * auth required /lib/security/pam_pwdb.so shadow nullok audit
- * _OR_ change PAM_SILENT to 0 to force detailed reporting (logging)
- */
- if (pam_start("sudo", user, &PAM_conversation, &pamh) != PAM_SUCCESS ||
- pam_authenticate(pamh, PAM_SILENT) != PAM_SUCCESS) {
- pam_end(pamh, 0);
- return(0);
- }
-
- /* User authenticated successfully */
- pam_end(pamh, PAM_SUCCESS);
-
- return(1);
-}
-
-static void
-pam_attempt_auth()
-{
- int i = TRIES_FOR_PASSWORD;
-
- set_perms(PERM_ROOT, 0);
- while (i > 0) {
- char *pamPass = (char *) GETPASS(prompt, PASSWORD_TIMEOUT * 60);
-
- if (pam_auth(user_name, pamPass)) {
- set_perms(PERM_USER, 0);
- return;
- }
- --i;
- pass_warn(stderr);
- }
- set_perms(PERM_USER, 0);
-
- if (i == 0) {
- log_error(PASSWORD_NOT_CORRECT);
- inform_user(PASSWORD_NOT_CORRECT);
- } else {
- log_error(PASSWORDS_NOT_CORRECT);
- inform_user(PASSWORDS_NOT_CORRECT);
- }
- exit(1);
-}
-#endif /* HAVE_PAM */
-
-#ifdef HAVE_SKEY
-/********************************************************************
- *
- * sudo_skeyprompt()
- *
- * This function rewrites and return the prompt based the
- * s/key challenge * and fills in the user's skey structure.
- */
-
-static char *
-sudo_skeyprompt(user_skey, p)
- struct skey *user_skey;
- char *p;
-{
- char challenge[256];
- int rval;
- static char *orig_prompt = NULL, *new_prompt = NULL;
- static int op_len, np_size;
-
- /* save the original prompt */
- if (orig_prompt == NULL) {
- orig_prompt = p;
- op_len = strlen(p);
-
- /* ignore trailing colon */
- if (p[op_len - 1] == ':')
- op_len--;
- }
-
- /* close old stream */
- if (user_skey->keyfile)
- (void) fclose(user_skey->keyfile);
-
- /* get the skey part of the prompt */
- if ((rval = skeychallenge(user_skey, user_name, challenge)) != 0) {
-#ifdef OTP_ONLY
- (void) fprintf(stderr,
- "%s: You do not exist in the s/key database.\n",
- Argv[0]);
- exit(1);
-#else
- /* return the original prompt if we cannot get s/key info */
- return(orig_prompt);
-#endif /* OTP_ONLY */
- }
-
- /* get space for new prompt with embedded s/key challenge */
- if (new_prompt == NULL) {
- /* allocate space for new prompt */
- np_size = op_len + strlen(challenge) + 7;
- new_prompt = (char *) emalloc(np_size);
- } else {
- /* already have space allocated, is it enough? */
- if (np_size < op_len + strlen(challenge) + 7) {
- np_size = op_len + strlen(challenge) + 7;
- new_prompt = (char *) erealloc(new_prompt, np_size);
- }
- }
-
- /* embed the s/key challenge into the new password prompt */
-#ifdef LONG_OTP_PROMPT
- (void) sprintf(new_prompt, "%s\n%s", challenge, orig_prompt);
-#else
- (void) sprintf(new_prompt, "%.*s [ %s ]:", op_len, orig_prompt, challenge);
-#endif /* LONG_OTP_PROMPT */
-
- return(new_prompt);
-}
-#endif /* HAVE_SKEY */
-
-
-#ifdef HAVE_OPIE
-/********************************************************************
- *
- * sudo_opieprompt()
- *
- * This function rewrites and return the prompt based the
- * OPIE challenge * and fills in the user's opie structure.
- */
-
-static char *
-sudo_opieprompt(user_opie, p)
- struct opie *user_opie;
- char *p;
-{
- char challenge[OPIE_CHALLENGE_MAX];
- int rval;
- static char *orig_prompt = NULL, *new_prompt = NULL;
- static int op_len, np_size;
-
- /* save the original prompt */
- if (orig_prompt == NULL) {
- orig_prompt = p;
- op_len = strlen(p);
-
- /* ignore trailing colon */
- if (p[op_len - 1] == ':')
- op_len--;
- }
-
- /* get the opie part of the prompt */
- if ((rval = opiechallenge(user_opie, user_name, challenge)) != 0) {
-#ifdef OTP_ONLY
- (void) fprintf(stderr,
- "%s: You do not exist in the opie database.\n",
- Argv[0]);
- exit(1);
-#else
- /* return the original prompt if we cannot get opie info */
- return(orig_prompt);
-#endif /* OTP_ONLY */
- }
-
- /* get space for new prompt with embedded opie challenge */
- if (new_prompt == NULL) {
- /* allocate space for new prompt */
- np_size = op_len + strlen(challenge) + 7;
- new_prompt = (char *) emalloc(np_size);
- } else {
- /* already have space allocated, is it enough? */
- if (np_size < op_len + strlen(challenge) + 7) {
- np_size = op_len + strlen(challenge) + 7;
- new_prompt = (char *) erealloc(new_prompt, np_size);
- }
- }
-
- /* embed the s/key challenge into the new password prompt */
-#ifdef LONG_OTP_PROMPT
- (void) sprintf(new_prompt, "%s\n%s", challenge, orig_prompt);
-#else
- (void) sprintf(new_prompt, "%.*s [ %s ]:", op_len, orig_prompt, challenge);
-#endif /* LONG_OTP_PROMPT */
-
- return(new_prompt);
-}
-#endif /* HAVE_OPIE */
-
-
#ifndef NO_MESSAGE
/********************************************************************
*
#endif /* NO_MESSAGE */
-/********************************************************************
- *
- * pass_warn()
- *
- * warn the user that the password was incorrect
- * (and insult them if insults are configured).
- */
-
-void
-pass_warn(fp)
- FILE *fp;
-{
-
-#ifdef USE_INSULTS
- (void) fprintf(fp, "%s\n", INSULT);
-#else
- (void) fprintf(fp, "%s\n", INCORRECT_PASSWORD);
-#endif /* USE_INSULTS */
-}
-
/********************************************************************
*
* expand_prompt()
projects / sudo / commitdiff