* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
+#include "config.h"
+
#include <sys/types.h>
#include <sys/wait.h>
#include <errno.h>
#include <limits.h>
#include <pwd.h>
-#ifdef HAVE_READPASSPHRASE_H
+#ifdef HAVE_READPASSPHRASE
# include <readpassphrase.h>
#else
-# include "readpassphrase.h"
+# include "sys-readpassphrase.h"
#endif
#include <signal.h>
#include <stdio.h>
#include <security/pam_appl.h>
-#include "includes.h"
+#include "openbsd.h"
+#include "doas.h"
+
+#ifndef HOST_NAME_MAX
+#define HOST_NAME_MAX _POSIX_HOST_NAME_MAX
+#endif
#define PAM_SERVICE_NAME "doas"
for (i = 0; i < nmsgs; i++) {
if (rsp[i].resp == NULL)
continue;
- switch (style = msgs[i]->msg_style) {
+ switch (msgs[i]->msg_style) {
case PAM_PROMPT_ECHO_OFF:
case PAM_PROMPT_ECHO_ON:
explicit_bzero(rsp[i].resp, strlen(rsp[i].resp));
}
rsp[i].resp = NULL;
}
+ free(rsp);
return PAM_CONV_ERR;
}
exit(status);
}
-void
+int
pamauth(const char *user, const char *myname, int interactive, int nopass, int persist)
{
static const struct pam_conv conv = {
#endif
if (!user || !myname)
- errx(1, "Authorization failed");
+ return(5);
ret = pam_start(PAM_SERVICE_NAME, myname, &conv, &pamh);
if (ret != PAM_SUCCESS)
if (!nopass) {
if (!interactive)
- errx(1, "Authorization required");
+ return(5);
-#ifndef HOST_NAME_MAX
-#define HOST_NAME_MAX _POSIX_HOST_NAME_MAX
-#endif
/* doas style prompt for pam */
char host[HOST_NAME_MAX + 1];
if (gethostname(host, sizeof(host)))
if (ret != PAM_SUCCESS) {
pamcleanup(ret, sess, cred);
syslog(LOG_AUTHPRIV | LOG_NOTICE, "failed auth for %s", myname);
- errx(1, "Authorization failed");
+ return(5);
}
}
if (ret != PAM_SUCCESS) {
pamcleanup(ret, sess, cred);
syslog(LOG_AUTHPRIV | LOG_NOTICE, "failed auth for %s", myname);
- errx(1, "Authorization failed");
+ return(5);
}
/* set PAM_USER to the user we want to be */
warn("pam_set_item(?, PAM_USER, \"%s\"): %s", user,
pam_strerror(pamh, ret));
- ret = pam_setcred(pamh, PAM_ESTABLISH_CRED);
+ ret = pam_setcred(pamh, PAM_REINITIALIZE_CRED);
if (ret != PAM_SUCCESS)
- warn("pam_setcred(?, PAM_ESTABLISH_CRED): %s", pam_strerror(pamh, ret));
+ warn("pam_setcred(?, PAM_REINITIALIZE_CRED): %s", pam_strerror(pamh, ret));
else
cred = 1;
}
#endif
watchsession(child, sess, cred);
+ return(0);
}