/* * CU sudo version 1.6 * Copyright (c) 1998, 1999 Todd C. Miller * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 1, or (at your option) * any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. * * Please send bugs, changes, problems to sudo-bugs@courtesan.com * ******************************************************************* * * check_sia.c -- check a user's password using Digital UNIX's * Security Integration Architecture * * Spider Boardman Sep 26, 1998 */ #include "config.h" #ifdef HAVE_SIA #include #ifdef STDC_HEADERS #include #endif /* STDC_HEADERS */ #ifdef HAVE_UNISTD_H #include #endif /* HAVE_UNISTD_H */ #ifdef HAVE_STRING_H #include #endif /* HAVE_STRING_H */ #ifdef HAVE_STRINGS_H #include #endif /* HAVE_STRINGS_H */ #include #include #include #include #include "sudo.h" #ifndef lint static const char rcsid[] = "$Sudo$"; #endif /* lint */ /* * Prototypes for local functions */ static int tcollect __P((int, int, uchar_t *, int, prompt_t *)); /******************************************************************** * tcollect() * * Collection routine (callback) for limiting the timeouts in SIA * prompts. */ static int tcollect(timeout, rendition, title, nprompts, prompts) int timeout; int rendition; uchar_t *title; int nprompts; prompt_t *prompts; { switch (rendition) { case SIAFORM: case SIAONELINER: if (timeout <= 0 || timeout > PASSWORD_TIMEOUT * 60) timeout = PASSWORD_TIMEOUT * 60; /* * Substitute custom prompt if a) the sudo prompt is not "Password:" * and b) the SIA prompt is "Password:" (so we know it is safe). * This keeps us from overwriting things like s/key challenges. */ if (strcmp((char *)prompts[0].prompt, "Password:") == 0 && strcmp(prompt, "Password:") != 0) prompts[0].prompt = (unsigned char *)prompt; break; default: break; } return sia_collect_trm(timeout, rendition, title, nprompts, prompts); } /******************************************************************** * sia_attempt_auth() * * Try to authenticate the user using Security Integration Architecture * (SIA). Added 9/26/98 by Spider Boardman */ void sia_attempt_auth() { SIAENTITY *siah = NULL; int retval; int counter = TRIES_FOR_PASSWORD; set_perms(PERM_ROOT, 0); while (counter > 0) { retval = sia_ses_init(&siah, Argc, Argv, NULL, user_name, ttyname(0), 1, NULL); if (retval != SIASUCCESS) { set_perms(PERM_USER, 0); log_error(BAD_AUTH_INIT); inform_user(BAD_AUTH_INIT); exit(1); } /* XXX - need a way to detect user hitting return or EOF at prompt */ retval = sia_ses_reauthent(tcollect, siah); (void) sia_ses_release(&siah); if (retval == SIASUCCESS) { set_perms(PERM_USER, 0); return; } --counter; /* otherwise, try again */ pass_warn(stderr); } set_perms(PERM_USER, 0); log_error(counter ? PASSWORD_NOT_CORRECT : PASSWORDS_NOT_CORRECT); inform_user(counter ? PASSWORD_NOT_CORRECT : PASSWORDS_NOT_CORRECT); exit(1); } #endif /* HAVE_SIA */