[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[OATH-Toolkit-help] Bug#807990: third patch, fails more gracefully

From: Antoine Beaupré
Subject: [OATH-Toolkit-help] Bug#807990: third patch, fails more gracefully
Date: Mon, 01 Aug 2016 12:40:20 -0400
User-agent: Notmuch/0.21 (http://notmuchmail.org) Emacs/24.4.1 (x86_64-pc-linux-gnu)

the following patch makes use of the PAM_USER_UNKNONWN flag in a more
graceful way, and checks before prompting the password. it could be
using more direct parsing functions, but that turned out to be harder
because the parse_usersfile function has a more complicated signature
than the actual authentication function.

diff --git a/pam_oath/README b/pam_oath/README
index bef4265..a6cbe56 100644
--- a/pam_oath/README
+++ b/pam_oath/README
@@ -23,7 +23,7 @@ window open before making any changes!
 # head -1 /etc/pam.d/su
-auth requisite pam_oath.so debug usersfile=/etc/users.oath window=20
+auth requisite pam_oath.so debug usersfile=/etc/users.oath window=20 
diff --git a/pam_oath/pam_oath.c b/pam_oath/pam_oath.c
index 2820318..25a3452 100644
--- a/pam_oath/pam_oath.c
+++ b/pam_oath/pam_oath.c
@@ -162,6 +162,23 @@ pam_sm_authenticate (pam_handle_t * pamh,
   DBG (("get user returned: %s", user));
+  // quick check to skip unconfigured users before prompting for password
+  {
+    time_t last_otp;
+    otp[0] = '\0';
+    rc = oath_authenticate_usersfile (cfg.usersfile,
+                                      user,
+                                      otp, cfg.window, onlypasswd, &last_otp);
+    DBG (("authenticate first pass rc %d (%s: %s) last otp %s", rc,
+          oath_strerror_name (rc) ? oath_strerror_name (rc) : "UNKNOWN",
+          oath_strerror (rc), ctime (&last_otp)));
+    if (rc == OATH_UNKNOWN_USER)
+      {
+        return PAM_USER_UNKNOWN;
+      }
+  }
   if (cfg.try_first_pass || cfg.use_first_pass)
       retval = pam_get_item (pamh, PAM_AUTHTOK, (const void **) &password);

it still parses the file twice, but i'm not sure how to fix that short
of loading the whole file in memory, which isn't the way the library
works now.

We have no friends but the mountains.
                        - Kurdish saying

reply via email to

[Prev in Thread] Current Thread [Next in Thread]