Re: [PATCH] doas authentication type

Wed, 26 Aug 2015 06:47:46 -0700

I rewrote a little bit the patch to remove a small kind-of typo in the manpage and remove too long lines. So with this patch, you add the user the right to choose the authentication style and administratively, in login.conf, you can restrict it. 

Any comments? OK?


Index: doas.1
===================================================================
RCS file: /cvs/src/usr.bin/doas/doas.1,v
retrieving revision 1.14
diff -u -r1.14 doas.1
--- doas.1      27 Jul 2015 17:57:06 -0000      1.14
+++ doas.1      26 Aug 2015 13:34:14 -0000
@@ -40,6 +40,16 @@
 .Pp
 The options are as follows:
 .Bl -tag -width tenletters
+.It Fl a Ar style
+The
+.Fl a
+(authentication style) option causes
+.Nm
+to use the specified authentication style when validating the user,
+as allowed by /etc/login.conf.
+The system administrator may specify a list of doas-specific
+authentication methods by adding an ``auth-doas''
+entry in /etc/login.conf.
 .It Fl C Ar config
 Parse and check the configuration file
 .Ar config ,
Index: doas.c
===================================================================
RCS file: /cvs/src/usr.bin/doas/doas.c,v
retrieving revision 1.38
diff -u -r1.38 doas.c
--- doas.c      22 Aug 2015 16:01:05 -0000      1.38
+++ doas.c      26 Aug 2015 13:34:14 -0000
@@ -36,7 +36,7 @@
 static void __dead
 usage(void)
 {
- fprintf(stderr, "usage: doas [-ns] [-C config] [-u user] command [args]\n"); + fprintf(stderr, "usage: doas [-ns] [-a style] [-C config] [-u user] command [args]\n"); 
        exit(1);
 }

@@ -318,6 +318,7 @@
        const char *cmd;
        char cmdline[LINE_MAX];
        char myname[_PW_NAME_LEN + 1];
+       char *login_style = NULL;
        struct passwd *pw;
        struct rule *rule;
        uid_t uid;
@@ -332,8 +333,11 @@

        uid = getuid();

-       while ((ch = getopt(argc, argv, "C:nsu:")) != -1) {
+       while ((ch = getopt(argc, argv, "a:C:nsu:")) != -1) {
                switch (ch) {
+               case 'a':
+                       login_style = optarg;
+                       break;
                case 'C':
                        confpath = optarg;
                        break;
@@ -409,7 +413,7 @@
        if (!(rule->options & NOPASS)) {
                if (nflag)
                        errx(1, "Authorization required");
-               if (!auth_userokay(myname, NULL, NULL, NULL)) {
+               if (!auth_userokay(myname, login_style, "auth-doas", NULL)) {
                        syslog(LOG_AUTHPRIV | LOG_NOTICE,
                            "failed password for %s", myname);
                        permfail();

Reply via email to