Re: doas authentication type

Wed, 26 Aug 2015 06:23:46 -0700 


On August 26, 2015 10:21:23 AM GMT+02:00, Renaud Allard <ren...@allard.it> 
wrote:
>On 08/26/2015 09:36 AM, Renaud Allard wrote:
>> On 08/26/2015 09:26 AM, Gregor Best wrote:
>>> On Wed, Aug 26, 2015 at 08:42:31AM +0200, Renaud Allard wrote:
>>>> [...]
>>>> +    fprintf(stderr, "usage: doas [-ans] [-C config] [-u user]
>command
>>>> [args]\n");
>>>> [...]
>>>
>>> The usage string should probably be
>>>
>>>     "usage: doas [-ns] [-a style] [-C config] [-u user] command
>[args]"
>>>
>>> and the new option should appear in doas(1).
>>>
>>
>> True, I will change and add that
>>
>>
>Here is the new patch with the man correct and an additional auth-doas 
>as suggested by Alexander Hall
>
>diff -ur doas.orig/doas.1 doas/doas.1
>--- doas.orig/doas.1   Wed Aug 26 10:18:27 2015
>+++ doas/doas.1        Wed Aug 26 10:17:21 2015
>@@ -40,6 +40,12 @@
>  .Pp
>  The options are as follows:
>  .Bl -tag -width tenletters
>+.It Fl a Ar style
>+The
>+.Fl a
>+(authentication style) option causes
>+.Nm
>+to use the specified authentication style when validating the user, as
>
>allowed by /etc/login.conf. The system administrator may specify a list
>
>of sudo-specific authentication methods by adding an ``auth-doas''
>entry 
>in /etc/login.conf.

That is a horribly long line.

>  .It Fl C Ar config
>  Parse and check the configuration file
>  .Ar config ,
>diff -ur doas.orig/doas.c doas/doas.c
>--- doas.orig/doas.c   Wed Aug 26 10:18:27 2015
>+++ doas/doas.c        Wed Aug 26 10:16:14 2015
>@@ -36,7 +36,7 @@
>  static void __dead
>  usage(void)
>  {
>-      fprintf(stderr, "usage: doas [-ns] [-C config] [-u user] command 
>[args]\n");
>+      fprintf(stderr, "usage: doas [-ns] [-a style] [-C config] [-u user] 
>command [args]\n");
>       exit(1);
>  }
>
>@@ -318,6 +318,7 @@
>       const char *cmd;
>       char cmdline[LINE_MAX];
>       char myname[_PW_NAME_LEN + 1];
>+      char *login_style = NULL;
>       struct passwd *pw;
>       struct rule *rule;
>       uid_t uid;
>@@ -332,8 +333,11 @@
>
>       uid = getuid();
>
>-      while ((ch = getopt(argc, argv, "C:nsu:")) != -1) {
>+      while ((ch = getopt(argc, argv, "a:C:nsu:")) != -1) {
>               switch (ch) {
>+              case 'a':
>+                      login_style = optarg;
>+                      break;
>               case 'C':
>                       confpath = optarg;
>                       break;
>@@ -409,7 +413,7 @@
>       if (!(rule->options & NOPASS)) {
>               if (nflag)
>                       errx(1, "Authorization required");
>-              if (!auth_userokay(myname, NULL, NULL, NULL)) {
>+              if (!auth_userokay(myname, login_style, "auth-doas", NULL)) {

Assuming the login_style is limited to the login type (or the default), which I 
assume it is but could not deduce from the man page, I like this.

Whether it's adding to much to do as our not, I'm not to decide. I've already 
received sort of ok's for the auth-doas part.

/Alexander 

>                       syslog(LOG_AUTHPRIV | LOG_NOTICE,
>                           "failed password for %s", myname);
>                       permfail();
>
>
>OK?

Reply via email to