Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
sudo-project
GitHub Repository: sudo-project/sudo
 Path: blob/main/plugins/sudoers/auth/securid5.c
1532 views
1
/*

2
 * SPDX-License-Identifier: ISC

3
 *

4
 * Copyright (c) 1999-2005, 2007, 2010-2012, 2014-2016

5
 *	Todd C. Miller <[email protected]>

6
 * Copyright (c) 2002 Michael Stroucken <[email protected]>

7
 *

8
 * Permission to use, copy, modify, and distribute this software for any

9
 * purpose with or without fee is hereby granted, provided that the above

10
 * copyright notice and this permission notice appear in all copies.

11
 *

12
 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES

13
 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF

14
 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR

15
 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES

16
 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN

17
 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF

18
 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

19
 *

20
 * Sponsored in part by the Defense Advanced Research Projects

21
 * Agency (DARPA) and Air Force Research Laboratory, Air Force

22
 * Materiel Command, USAF, under agreement number F39502-99-1-0512.

23
 */

24


25
#include <config.h>

26


27
#ifdef HAVE_SECURID

28


29
#include <sys/types.h>

30
#include <stdio.h>

31
#include <stdlib.h>

32
#include <string.h>

33
#include <unistd.h>

34
#include <pwd.h>

35


36
/* Needed for SecurID v5.0 Authentication on UNIX */

37
#define UNIX 1

38
#include <acexport.h>

39
#include <sdacmvls.h>

40


41
#include <sudoers.h>

42
#include "sudo_auth.h"

43


44
/*

45
 * securid_init - Initialises communications with ACE server

46
 * Arguments in:

47
 *     pw - UNUSED

48
 *     auth - sudo authentication structure

49
 *

50
 * Results out:

51
 *     auth - auth->data contains pointer to new SecurID handle

52
 *     return code - Fatal if initialization unsuccessful, otherwise

53
 *                   success.

54
 */

55
int

56
sudo_securid_init(const struct sudoers_context *ctx, struct passwd *pw,

57
    sudo_auth *auth)

58
{

59
    static SDI_HANDLE sd_dat;			/* SecurID handle */

60
    debug_decl(sudo_securid_init, SUDOERS_DEBUG_AUTH);

61


62
    /* Only initialize once. */

63
    if (auth->data != NULL)

64
	debug_return_int(AUTH_SUCCESS);

65


66
    if (IS_NONINTERACTIVE(auth))

67
        debug_return_int(AUTH_NONINTERACTIVE);

68


69
    /* Start communications */

70
    if (AceInitialize() == SD_FALSE) {

71
	sudo_warnx("%s", U_("failed to initialise the ACE API library"));

72
	debug_return_int(AUTH_ERROR);

73
    }

74


75
    auth->data = (void *) &sd_dat;		/* For method-specific data */

76


77
    debug_return_int(AUTH_SUCCESS);

78
}

79


80
/*

81
 * securid_setup - Initialises a SecurID transaction and locks out other

82
 *     ACE servers

83
 *

84
 * Arguments in:

85
 *     pw - struct passwd for username

86
 *     promptp - UNUSED

87
 *     auth - sudo authentication structure for SecurID handle

88
 *

89
 * Results out:

90
 *     return code - Success if transaction started correctly, fatal

91
 *                   otherwise

92
 */

93
int

94
sudo_securid_setup(const struct sudoers_context *ctx, struct passwd *pw,

95
    char **promptp, sudo_auth *auth)

96
{

97
    SDI_HANDLE *sd = (SDI_HANDLE *) auth->data;

98
    int retval;

99
    debug_decl(sudo_securid_setup, SUDOERS_DEBUG_AUTH);

100


101
    /* Re-initialize SecurID every time. */

102
    if (SD_Init(sd) != ACM_OK) {

103
	sudo_warnx("%s", U_("unable to contact the SecurID server"));

104
	debug_return_int(AUTH_ERROR);

105
    }

106


107
    /* Lock new PIN code */

108
    retval = SD_Lock(*sd, pw->pw_name);

109


110
    switch (retval) {

111
	case ACM_OK:

112
		sudo_warnx("%s", U_("User ID locked for SecurID Authentication"));

113
		debug_return_int(AUTH_SUCCESS);

114


115
        case ACE_UNDEFINED_USERNAME:

116
		sudo_warnx("%s", U_("invalid username length for SecurID"));

117
		debug_return_int(AUTH_ERROR);

118


119
	case ACE_ERR_INVALID_HANDLE:

120
		sudo_warnx("%s", U_("invalid Authentication Handle for SecurID"));

121
		debug_return_int(AUTH_ERROR);

122


123
	case ACM_ACCESS_DENIED:

124
		sudo_warnx("%s", U_("SecurID communication failed"));

125
		debug_return_int(AUTH_ERROR);

126


127
	default:

128
		sudo_warnx("%s", U_("unknown SecurID error"));

129
		debug_return_int(AUTH_ERROR);

130
	}

131
}

132


133
/*

134
 * securid_verify - Authenticates user and handles ACE responses

135
 *

136
 * Arguments in:

137
 *     pw - struct passwd for username

138
 *     prompt - UNUSED

139
 *     auth - sudo authentication structure for SecurID handle

140
 *

141
 * Results out:

142
 *     return code - Success on successful authentication, failure on

143
 *                   incorrect authentication, fatal on errors

144
 */

145
int

146
sudo_securid_verify(const struct sudoers_context *ctx, struct passwd *pw,

147
    const char *promp, sudo_auth *auth, struct sudo_conv_callback *callback)

148
{

149
    SDI_HANDLE *sd = (SDI_HANDLE *) auth->data;

150
    char *pass;

151
    int ret;

152
    debug_decl(sudo_securid_verify, SUDOERS_DEBUG_AUTH);

153


154
    pass = auth_getpass("Enter your PASSCODE: ", SUDO_CONV_PROMPT_ECHO_OFF,

155
	callback);

156


157
    /* Have ACE verify password */

158
    switch (SD_Check(*sd, pass, pw->pw_name)) {

159
	case ACM_OK:

160
		ret = AUTH_SUCESS;

161
		break;

162


163
	case ACE_UNDEFINED_PASSCODE:

164
		sudo_warnx("%s", U_("invalid passcode length for SecurID"));

165
		ret = AUTH_ERROR;

166
		break;

167


168
	case ACE_UNDEFINED_USERNAME:

169
		sudo_warnx("%s", U_("invalid username length for SecurID"));

170
		ret = AUTH_ERROR;

171
		break;

172


173
	case ACE_ERR_INVALID_HANDLE:

174
		sudo_warnx("%s", U_("invalid Authentication Handle for SecurID"));

175
		ret = AUTH_ERROR;

176
		break;

177


178
	case ACM_ACCESS_DENIED:

179
		ret = AUTH_FAILURE;

180
		break;

181


182
	case ACM_NEXT_CODE_REQUIRED:

183
                /* Sometimes (when current token close to expire?)

184
                   ACE challenges for the next token displayed

185
                   (entered without the PIN) */

186
		if (pass != NULL)

187
		    freezero(pass, strlen(pass));

188
        	pass = auth_getpass("\

189
!!! ATTENTION !!!\n\

190
Wait for the token code to change, \n\

191
then enter the new token code.\n", \

192
		SUDO_CONV_PROMPT_ECHO_OFF, callback);

193


194
		if (SD_Next(*sd, pass) == ACM_OK) {

195
			ret = AUTH_SUCCESS;

196
			break;

197
		}

198


199
		ret = AUTH_FAILURE;

200
		break;

201


202
	case ACM_NEW_PIN_REQUIRED:

203
                /*

204
		 * This user's SecurID has not been activated yet,

205
                 * or the pin has been reset

206
		 */

207
		/* XXX - Is setting up a new PIN within sudo's scope? */

208
		SD_Pin(*sd, "");

209
		sudo_printf(SUDO_CONV_ERROR_MSG|SUDO_CONV_PREFER_TTY, 

210
		    "Your SecurID access has not yet been set up.\n");

211
		sudo_printf(SUDO_CONV_ERROR_MSG|SUDO_CONV_PREFER_TTY, 

212
		    "Please set up a PIN before you try to authenticate.\n");

213
		ret = AUTH_ERROR;

214
		break;

215


216
	default:

217
		sudo_warnx("%s", U_("unknown SecurID error"));

218
		ret = AUTH_ERROR;

219
		break;

220
    }

221


222
    /* Free resources */

223
    SD_Close(*sd);

224


225
    if (pass != NULL)

226
	freezero(pass, strlen(pass));

227


228
    /* Return stored state to calling process */

229
    debug_return_int(ret);

230
}

231


232
#endif /* HAVE_SECURID */

233


234