Skip to content

Commit

Permalink
Version tested; few config bugs fixed
Browse files Browse the repository at this point in the history
This version was at least tested to work. Many features
from config file work, but not all. Especially key database
is only 'local' currently so no policy enforcement works.
  • Loading branch information
Tomasz bla Fortuna committed Dec 22, 2009
1 parent 90b8329 commit 8c69980
Show file tree
Hide file tree
Showing 10 changed files with 46 additions and 30 deletions.
1 change: 1 addition & 0 deletions ChangeLog
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@ Trying to sort tasks according to their priority.
ppp implements high-level functions which should be used
explicitly to manage state information unless something
more fine-grained is necessary.
* [-] Passing -f, -d, -c along with the -k.
* [-] Scan all FIXME/TODO entries
* [-] Manuals
* [-] Improve error messages when state file is not found.
Expand Down
7 changes: 3 additions & 4 deletions examples/otpasswd-login
Original file line number Diff line number Diff line change
Expand Up @@ -3,9 +3,8 @@ auth required pam_shells.so
auth required pam_nologin.so
auth required pam_env.so
auth requisite pam_unix.so try_first_pass likeauth nullok
# Without OOB
auth required pam_otpasswd.so retry=2
# Example with OOB
# auth required pam_otpasswd.so retry=2 debug oob=1 oob_path=/etc/security/otpasswd_oob.sh

# You can pass 'debug' or 'silent' options here.
# Rest of the configuration is done in /etc/security/otpasswd.conf
auth required pam_otpasswd.so
session optional pam_otpasswd.so
8 changes: 7 additions & 1 deletion examples/otpasswd.conf
Original file line number Diff line number Diff line change
Expand Up @@ -115,7 +115,13 @@ MAX_ALPHABET_LENGTH=88
# Set default passcode and alphabet length
##
DEF_PASSCODE_LENGTH=4
DEF_ALPHABET_LENGTH=64

# 0 - 64 character long alphabet:
# !#%+23456789:=?@ABCDEFGHJKLMNPRSTUVWXYZabcdefghijkmnopqrstuvwxyz
# 1 - 88 character long:
# !"#$%&'()*+,-./23456789:;<=>?@ABCDEFGHJKLMNOPRSTUVWXYZ
# [\\]^_abcdefghijkmnopqrstuvwxyz{|}~
DEF_ALPHABET=0

##
# 0 - Disallow generation of salt
Expand Down
12 changes: 6 additions & 6 deletions libotp/config.c
Original file line number Diff line number Diff line change
Expand Up @@ -52,7 +52,7 @@ static void _config_defaults(cfg_t *cfg)
.def_passcode_length = 4,
.min_passcode_length = 2,
.max_passcode_length = 16,
.def_alphabet_length = 64,
.def_alphabet = 0,
.min_alphabet_length = 64,
.max_alphabet_length = 88,
.allow_salt = 1,
Expand Down Expand Up @@ -207,7 +207,7 @@ static int _config_parse(cfg_t *cfg, const char *config_path)

/* Parsing PAM configuration */
} else if (_EQ(line_buf, "show")) {
REQUIRE_ARG(1,3);
REQUIRE_ARG(0,2);
cfg->show = arg;
} else if (_EQ(line_buf, "enforce")) {
REQUIRE_ARG(0, 1);
Expand All @@ -217,7 +217,7 @@ static int _config_parse(cfg_t *cfg, const char *config_path)
cfg->retry = arg;
} else if (_EQ(line_buf, "retries")) {
REQUIRE_ARG(2, 5);
cfg->retry = arg;
cfg->retries_count = arg;
} else if (_EQ(line_buf, "logging")) {
REQUIRE_ARG(0, 2);
cfg->logging = arg;
Expand Down Expand Up @@ -269,9 +269,9 @@ static int _config_parse(cfg_t *cfg, const char *config_path)
REQUIRE_ARG(2, 16);
cfg->max_passcode_length = arg;

} else if (_EQ(line_buf, "def_alphabet_length")) {
REQUIRE_ARG(64, 88);
cfg->def_alphabet_length = arg;
} else if (_EQ(line_buf, "def_alphabet")) {
REQUIRE_ARG(0, 1);
cfg->def_alphabet = arg;
} else if (_EQ(line_buf, "min_alphabet_length")) {
REQUIRE_ARG(64, 88);
cfg->min_alphabet_length = arg;
Expand Down
8 changes: 7 additions & 1 deletion libotp/config.h
Original file line number Diff line number Diff line change
Expand Up @@ -90,6 +90,9 @@ typedef struct {
*/
int retry;

/* How many retries are allowed */
int retries_count;

/* Shall we echo entered passcode?
* 1 - user selected
* 0 - (noshow) echo disabled
Expand Down Expand Up @@ -135,7 +138,10 @@ typedef struct {
int max_passcode_length;

/* Alphabet configuration. Default, minimal and maximal */
int def_alphabet_length;
/* def=0 - 64 long alphabet
* def=1 - 88 long alphabet
*/
int def_alphabet;
int min_alphabet_length;
int max_alphabet_length;

Expand Down
11 changes: 11 additions & 0 deletions libotp/ppp.c
Original file line number Diff line number Diff line change
Expand Up @@ -475,6 +475,17 @@ int ppp_release(state *s, int store, int unlock)
return retval;
}

/********************
* Accessors
*******************/
const char *ppp_get_username(const state *s)
{
return s->username;
}

/*******************
* Atomic combos
*******************/
int ppp_increment(state *s)
{
int ret;
Expand Down
2 changes: 2 additions & 0 deletions libotp/ppp.h
Original file line number Diff line number Diff line change
Expand Up @@ -106,6 +106,8 @@ extern int ppp_load(state *s);
*/
extern int ppp_release(state *s, int store, int unlock);

extern const char *ppp_get_username(const state *s);

/*
* 1. Lock file
* 2a. Open it
Expand Down
5 changes: 1 addition & 4 deletions libotp/state.c
Original file line number Diff line number Diff line change
Expand Up @@ -649,9 +649,6 @@ int state_init(state *s, const char *username)
assert(cfg->def_passcode_length >= 2 &&
cfg->def_passcode_length <= 16);

assert(cfg->def_alphabet_length == 64 ||
cfg->def_alphabet_length == 88);

mpz_init(s->counter);
mpz_init(s->sequence_key);
mpz_init(s->latest_card);
Expand All @@ -676,7 +673,7 @@ int state_init(state *s, const char *username)
s->code_length = cfg->def_passcode_length;
if (cfg->show != 0)
s->flags = FLAG_SHOW;
if (cfg->def_alphabet_length == 88)
if (cfg->def_alphabet == 1)
s->flags |= FLAG_ALPHABET_EXTENDED;

s->failures = 0;
Expand Down
10 changes: 0 additions & 10 deletions pam/pam_helpers.c
Original file line number Diff line number Diff line change
Expand Up @@ -29,23 +29,13 @@
/* kill() */
#include <signal.h>



#define PAM_SM_AUTH
#define PAM_SM_SESSION
//#define PAM_SM_ACCOUNT
//#define PAM_SM_PASSWORD
#define _PAM_EXTERN_FUNCTIONS

#include <pam_modules.h>

/* FreeBSD */
#include <pam_appl.h>

#include "pam_macros.h"



#include "print.h"
#include "num.h"
#include "ppp.h"
Expand Down
12 changes: 8 additions & 4 deletions pam/pam_otpasswd.c
Original file line number Diff line number Diff line change
Expand Up @@ -61,7 +61,7 @@ PAM_EXTERN int pam_sm_authenticate(

/* Retry = 0 - do not retry, 1 - with changing passcodes */
int tries;
for (tries = 0; tries < (cfg->retry == 0 ? 1 : 3); tries++) {
for (tries = 0; tries < (cfg->retry == 0 ? 1 : cfg->retries_count); tries++) {
if (tries == 0 || cfg->retry == 1) {
/* First time or we are retrying while changing the password */
retval = ph_increment(pamh, cfg, s);
Expand Down Expand Up @@ -113,15 +113,19 @@ PAM_EXTERN int pam_sm_authenticate(

/* Correctly authenticated */
retval = PAM_SUCCESS;
print(PRINT_NOTICE, "Authentication succeded\n");
print(PRINT_WARN,
"Accepted otp authentication for user %s\n",
ppp_get_username(s));
goto cleanup;
}

/* Error during authentication */
retval = PAM_AUTH_ERR;
}

print(PRINT_NOTICE, "Authentication failed\n");
print(PRINT_WARN,
"Authentication failure; user=%s; try=%d/%d\n",
ppp_get_username(s), tries+1, cfg->retries_count);
}

cleanup:
ph_fini(s);
Expand Down

0 comments on commit 8c69980

Please sign in to comment.