[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[OATH-Toolkit-help] Bug#807990: patch
From: |
Antoine Beaupré |
Subject: |
[OATH-Toolkit-help] Bug#807990: patch |
Date: |
Tue, 15 Dec 2015 00:54:50 -0500 |
User-agent: |
Notmuch/0.18.2 (http://notmuchmail.org) Emacs/24.4.1 (x86_64-pc-linux-gnu) |
This patch has two problems:
1. it doesn't compile (follows a fixed version)
2. it's pretty dumb: it will work only if the user enters actually the
right number of digits - ie. the code currently checks if the users
exists only if other parameters are filled in correctly
So basically, it doesn't work. Maybe the file check would need to be
done earlier, ironically enough...
--- oath-toolkit-2.6.1.orig/pam_oath/README
+++ oath-toolkit-2.6.1/pam_oath/README
@@ -224,6 +224,9 @@ List of all parameters
"window": Specify search depth, an integer typically from 5 to 50
but other values can be useful too.
+ "missingok": If specified, users missing from the "usersfile" will be
+ considered authentified.
+
SSH Configuration
-----------------
--- oath-toolkit-2.6.1.orig/pam_oath/pam_oath.c
+++ oath-toolkit-2.6.1/pam_oath/pam_oath.c
@@ -72,6 +72,7 @@ struct cfg
char *usersfile;
unsigned digits;
unsigned window;
+ int missingok;
};
static void
@@ -86,6 +87,7 @@ parse_cfg (int flags, int argc, const ch
cfg->usersfile = NULL;
cfg->digits = -1;
cfg->window = 5;
+ cfg->missingok = 0;
for (i = 0; i < argc; i++)
{
@@ -103,6 +105,8 @@ parse_cfg (int flags, int argc, const ch
cfg->digits = atoi (argv[i] + 7);
if (strncmp (argv[i], "window=", 7) == 0)
cfg->window = atoi (argv[i] + 7);
+ if (strcmp (argv[i], "missingok") == 0)
+ cfg->missingok = 1;
}
if (cfg->digits != 6 && cfg->digits != 7 && cfg->digits != 8)
@@ -126,6 +130,7 @@ parse_cfg (int flags, int argc, const ch
D (("usersfile=%s", cfg->usersfile ? cfg->usersfile : "(null)"));
D (("digits=%d", cfg->digits));
D (("window=%d", cfg->window));
+ D (("missingok=%d", cfg->missingok));
}
}
@@ -312,7 +317,7 @@ pam_sm_authenticate (pam_handle_t * pamh
oath_strerror (rc), ctime (&last_otp)));
}
- if (rc != OATH_OK)
+ if (rc != OATH_OK && !(cfg.missingok && rc == OATH_UNKNOWN_USER))
{
DBG (("One-time password not authorized to login as user '%s'", user));
retval = PAM_AUTH_ERR;
--
Omnis enim ex infirmitate feritas est.
All cruelty springs from weakness.
- Lucius Annaeus Seneca (58 AD)