oath-toolkit-help
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[OATH-Toolkit-help] Bug#807990: patch

From: Antoine Beaupré
Subject: [OATH-Toolkit-help] Bug#807990: patch
Date: Tue, 15 Dec 2015 00:54:50 -0500
User-agent: Notmuch/0.18.2 (http://notmuchmail.org) Emacs/24.4.1 (x86_64-pc-linux-gnu) 
This patch has two problems:

 1. it doesn't compile (follows a fixed version)

 2. it's pretty dumb: it will work only if the user enters actually the
    right number of digits - ie. the code currently checks if the users
    exists only if other parameters are filled in correctly

So basically, it doesn't work. Maybe the file check would need to be
done earlier, ironically enough...

--- oath-toolkit-2.6.1.orig/pam_oath/README
+++ oath-toolkit-2.6.1/pam_oath/README
@@ -224,6 +224,9 @@ List of all parameters
   "window": Specify search depth, an integer typically from 5 to 50
             but other values can be useful too.
 
+  "missingok": If specified, users missing from the "usersfile" will be
+               considered authentified.
+
 SSH Configuration
 -----------------
 
--- oath-toolkit-2.6.1.orig/pam_oath/pam_oath.c
+++ oath-toolkit-2.6.1/pam_oath/pam_oath.c
@@ -72,6 +72,7 @@ struct cfg
   char *usersfile;
   unsigned digits;
   unsigned window;
+  int missingok;
 };
 
 static void
@@ -86,6 +87,7 @@ parse_cfg (int flags, int argc, const ch
   cfg->usersfile = NULL;
   cfg->digits = -1;
   cfg->window = 5;
+  cfg->missingok = 0;
 
   for (i = 0; i < argc; i++)
     {
@@ -103,6 +105,8 @@ parse_cfg (int flags, int argc, const ch
        cfg->digits = atoi (argv[i] + 7);
       if (strncmp (argv[i], "window=", 7) == 0)
        cfg->window = atoi (argv[i] + 7);
+      if (strcmp (argv[i], "missingok") == 0)
+    cfg->missingok = 1;
     }
 
   if (cfg->digits != 6 && cfg->digits != 7 && cfg->digits != 8)
@@ -126,6 +130,7 @@ parse_cfg (int flags, int argc, const ch
       D (("usersfile=%s", cfg->usersfile ? cfg->usersfile : "(null)"));
       D (("digits=%d", cfg->digits));
       D (("window=%d", cfg->window));
+      D (("missingok=%d", cfg->missingok));
     }
 }
 
@@ -312,7 +317,7 @@ pam_sm_authenticate (pam_handle_t * pamh
          oath_strerror (rc), ctime (&last_otp)));
   }
 
-  if (rc != OATH_OK)
+  if (rc != OATH_OK && !(cfg.missingok && rc == OATH_UNKNOWN_USER)) 
     {
       DBG (("One-time password not authorized to login as user '%s'", user));
       retval = PAM_AUTH_ERR;

-- 
Omnis enim ex infirmitate feritas est.
All cruelty springs from weakness.
                         - Lucius Annaeus Seneca (58 AD)
reply via email to
[Prev in Thread] Current Thread [Next in Thread]