Re: [PATCH] doas authentication type

[Renaud Allard]

On 08/26/2015 06:39 PM, Michael Reed wrote:
Hi Renauld,
On 08/26/15 09:38, Renaud Allard wrote:
I rewrote a little bit the patch to remove a small kind-of typo in the manpage 
and remove too long lines.
So with this patch, you add the user the right to choose the authentication 
style and administratively, in login.conf, you can restrict it.

Any comments? OK?

I left some comments inline


The usage string under SYNOPSIS should be updated too.


I think the two instances of `/etc/login.conf' should be specified using
the Pa macro, so that doas(1) also shows up if `apropos Pa=/etc/login.conf'
is executed, which currently gives plenty of results.


Instead of ``...'', I think Sq or Dq should be used.


I rewrote the patch with the suggested modifications. Any more comments? 
Is it OK?

Index: doas.1
===================================================================
RCS file: /cvs/src/usr.bin/doas/doas.1,v
retrieving revision 1.14
diff -u -r1.14 doas.1
--- doas.1      27 Jul 2015 17:57:06 -0000      1.14
+++ doas.1      27 Aug 2015 06:02:35 -0000
@@ -22,6 +22,7 @@
 .Sh SYNOPSIS
 .Nm doas
 .Op Fl ns
+.Op Fl a Ar style
 .Op Fl C Ar config
 .Op Fl u Ar user
 .Ar command
@@ -40,6 +41,19 @@
 .Pp
 The options are as follows:
 .Bl -tag -width tenletters
+.It Fl a Ar style
+The
+.Fl a
+(authentication style) option causes
+.Nm
+to use the specified authentication style when validating the user,
+as allowed by
+.Pa /etc/login.conf .
+The system administrator may specify a list of doas-specific
+authentication methods by adding an
+.Sq auth-doas
+entry in
+.Pa /etc/login.conf .
 .It Fl C Ar config
 Parse and check the configuration file
 .Ar config ,
Index: doas.c
===================================================================
RCS file: /cvs/src/usr.bin/doas/doas.c,v
retrieving revision 1.38
diff -u -r1.38 doas.c
--- doas.c      22 Aug 2015 16:01:05 -0000      1.38
+++ doas.c      27 Aug 2015 06:02:35 -0000
@@ -36,7 +36,7 @@
 static void __dead
 usage(void)
 {
-	fprintf(stderr, "usage: doas [-ns] [-C config] [-u user] command 
[args]\n");
+	fprintf(stderr, "usage: doas [-ns] [-a style] [-C config] [-u user] 
command [args]\n");
        exit(1);
 }

@@ -318,6 +318,7 @@
        const char *cmd;
        char cmdline[LINE_MAX];
        char myname[_PW_NAME_LEN + 1];
+       char *login_style = NULL;
        struct passwd *pw;
        struct rule *rule;
        uid_t uid;
@@ -332,8 +333,11 @@

        uid = getuid();

-       while ((ch = getopt(argc, argv, "C:nsu:")) != -1) {
+       while ((ch = getopt(argc, argv, "a:C:nsu:")) != -1) {
                switch (ch) {
+               case 'a':
+                       login_style = optarg;
+                       break;
                case 'C':
                        confpath = optarg;
                        break;
@@ -409,7 +413,7 @@
        if (!(rule->options & NOPASS)) {
                if (nflag)
                        errx(1, "Authorization required");
-               if (!auth_userokay(myname, NULL, NULL, NULL)) {
+               if (!auth_userokay(myname, login_style, "auth-doas", NULL)) {
                        syslog(LOG_AUTHPRIV | LOG_NOTICE,
                            "failed password for %s", myname);
                        permfail();