Hello community, here is the log from the commit of package pam_yubico for openSUSE:Factory checked in at 2016-06-09 16:15:40 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/pam_yubico (Old) and /work/SRC/openSUSE:Factory/.pam_yubico.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "pam_yubico" Changes: -------- --- /work/SRC/openSUSE:Factory/pam_yubico/pam_yubico.changes 2016-04-28 17:02:03.000000000 +0200 +++ /work/SRC/openSUSE:Factory/.pam_yubico.new/pam_yubico.changes 2016-06-09 16:17:52.000000000 +0200 @@ -1,0 +2,8 @@ +Thu Jun 9 07:34:20 UTC 2016 - [email protected] + +- Version 2.22 (released 2016-05-23) + - Documentation improvements. + - Retain ownership and permission of challenge files (issue #92). + - Make dependency on yubico-c-client 2.15 clearer. + +------------------------------------------------------------------- Old: ---- pam_yubico-2.21.tar.gz pam_yubico-2.21.tar.gz.sig New: ---- pam_yubico-2.22.tar.gz pam_yubico-2.22.tar.gz.sig ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ pam_yubico.spec ++++++ --- /var/tmp/diff_new_pack.5qR0UI/_old 2016-06-09 16:17:54.000000000 +0200 +++ /var/tmp/diff_new_pack.5qR0UI/_new 2016-06-09 16:17:54.000000000 +0200 @@ -17,7 +17,7 @@ Name: pam_yubico -Version: 2.21 +Version: 2.22 Release: 0 Summary: Yubico Pluggable Authentication Module (PAM) License: BSD-2-Clause @@ -26,7 +26,7 @@ Source: https://developers.yubico.com/yubico-pam/Releases/pam_yubico-%{version}.tar.gz Source1: https://developers.yubico.com/yubico-pam/Releases/pam_yubico-%{version}.tar.gz.sig Source2: baselib.conf -BuildRequires: libykclient-devel +BuildRequires: libykclient-devel >= 2.15 BuildRequires: libyubikey-devel BuildRequires: openldap2-devel BuildRequires: pam-devel ++++++ pam_yubico-2.21.tar.gz -> pam_yubico-2.22.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pam_yubico-2.21/ChangeLog new/pam_yubico-2.22/ChangeLog --- old/pam_yubico-2.21/ChangeLog 2016-02-19 12:18:10.000000000 +0100 +++ new/pam_yubico-2.22/ChangeLog 2016-05-23 09:51:51.000000000 +0200 @@ -1,3 +1,57 @@ +2016-05-23 Klas Lindfors <[email protected]> + + * NEWS: NEWS for 2.22 + +2016-04-18 Klas Lindfors <[email protected]> + + * configure.ac: let configure script check for ykclient_set_proxy() since it's the last symbol added to ykclient that we need, from + 2.15. + +2016-04-01 Klas Lindfors <[email protected]> + + * : commit 0a1051f6dfd8c13d47614eaf9f38f4ee70bb109a Author: Klas + Lindfors <[email protected]> Date: Thu Mar 31 10:12:18 2016 +0200 + +2016-03-31 Klas Lindfors <[email protected]> + + * ykpamcfg.c: set file permissions when creating a new challenge + file + +2016-03-31 Klas Lindfors <[email protected]> + + * configure.ac, pam_yubico.c: switch + pam_modutils_getpwnam()/getpwnam() to always use getpwnam_r() + +2016-03-30 Klas Lindfors <[email protected]> + + * pam_yubico.c: copy ownership and modes of old challenge file when + creating a new one fixes #92 + +2016-03-29 Klas Lindfors <[email protected]> + + * README, pam_yubico.8.txt: verbose_otp can not be used with OpenSSH fixes #25 + +2016-02-26 Klas Lindfors <[email protected]> + + * doc/Authentication_Using_Challenge-Response.adoc: typo. + +2016-02-26 Klas Lindfors <[email protected]> + + * doc/Authentication_Using_Challenge-Response.adoc: document how to + use ykpamcfg with path instead of moving file + +2016-02-26 Klas Lindfors <[email protected]> + + * : Merge pull request #89 from AmShaegar13/improve_cr_auth_docu Changed /etc/yubico to /var/yubico + +2016-02-19 Klas Lindfors <[email protected]> + + * .gitignore: ignore pkg files + +2016-02-19 Klas Lindfors <[email protected]> + + * NEWS, configure.ac: bump versions after release + 2016-02-19 Klas Lindfors <[email protected]> * NEWS: NEWS for 2.21 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pam_yubico-2.21/NEWS new/pam_yubico-2.22/NEWS --- old/pam_yubico-2.21/NEWS 2016-02-19 12:17:55.000000000 +0100 +++ new/pam_yubico-2.22/NEWS 2016-05-23 09:46:07.000000000 +0200 @@ -1,5 +1,13 @@ pam_yubico NEWS -- History of user-visible changes. -*- outline -*- +* Version 2.22 (released 2016-05-23) + +** Documentation improvements. + +** Retain ownership and permission of challenge files (issue #92). + +** Make dependency on yubico-c-client 2.15 clearer. + * Version 2.21 (released 2016-02-19) ** Add proxy support for yubico-c-client. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pam_yubico-2.21/README new/pam_yubico-2.22/README --- old/pam_yubico-2.21/README 2015-11-16 09:09:04.000000000 +0100 +++ new/pam_yubico-2.22/README 2016-03-29 11:09:54.000000000 +0200 @@ -201,8 +201,7 @@ authentication because that will display your password on the screen. This requires the service using the PAM module to - display custom fields. For example, OpenSSH requires - you to configure `ChallengeResponseAuthentication no`. + display custom fields. This option can not be used with OpenSSH. ldap_uri:: specify the LDAP server URI (e.g. ldap://localhost). diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pam_yubico-2.21/configure new/pam_yubico-2.22/configure --- old/pam_yubico-2.21/configure 2015-11-11 12:48:14.000000000 +0100 +++ new/pam_yubico-2.22/configure 2016-05-23 09:44:04.000000000 +0200 @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for pam_yubico 2.21. +# Generated by GNU Autoconf 2.69 for pam_yubico 2.22. # # Report bugs to <[email protected]>. # @@ -590,8 +590,8 @@ # Identity of this package. PACKAGE_NAME='pam_yubico' PACKAGE_TARNAME='pam_yubico' -PACKAGE_VERSION='2.21' -PACKAGE_STRING='pam_yubico 2.21' +PACKAGE_VERSION='2.22' +PACKAGE_STRING='pam_yubico 2.22' PACKAGE_BUGREPORT='[email protected]' PACKAGE_URL='' @@ -1349,7 +1349,7 @@ # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures pam_yubico 2.21 to adapt to many kinds of systems. +\`configure' configures pam_yubico 2.22 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1419,7 +1419,7 @@ if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of pam_yubico 2.21:";; + short | recursive ) echo "Configuration of pam_yubico 2.22:";; esac cat <<\_ACEOF @@ -1544,7 +1544,7 @@ test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -pam_yubico configure 2.21 +pam_yubico configure 2.22 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -1913,7 +1913,7 @@ This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by pam_yubico $as_me 2.21, which was +It was created by pam_yubico $as_me 2.22, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -2777,7 +2777,7 @@ # Define the identity of the package. PACKAGE='pam_yubico' - VERSION='2.21' + VERSION='2.22' cat >>confdefs.h <<_ACEOF @@ -12148,63 +12148,6 @@ fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for library containing pam_modutil_getpwnam" >&5 -$as_echo_n "checking for library containing pam_modutil_getpwnam... " >&6; } -if ${ac_cv_search_pam_modutil_getpwnam+:} false; then : - $as_echo_n "(cached) " >&6 -else - ac_func_search_save_LIBS=$LIBS -cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ - -/* Override any GCC internal prototype to avoid an error. - Use char because int might match the return type of a GCC - builtin and then its argument prototype would still apply. */ -#ifdef __cplusplus -extern "C" -#endif -char pam_modutil_getpwnam (); -int -main () -{ -return pam_modutil_getpwnam (); - ; - return 0; -} -_ACEOF -for ac_lib in '' "pam"; do - if test -z "$ac_lib"; then - ac_res="none required" - else - ac_res=-l$ac_lib - LIBS="-l$ac_lib $ac_func_search_save_LIBS" - fi - if ac_fn_c_try_link "$LINENO"; then : - ac_cv_search_pam_modutil_getpwnam=$ac_res -fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext - if ${ac_cv_search_pam_modutil_getpwnam+:} false; then : - break -fi -done -if ${ac_cv_search_pam_modutil_getpwnam+:} false; then : - -else - ac_cv_search_pam_modutil_getpwnam=no -fi -rm conftest.$ac_ext -LIBS=$ac_func_search_save_LIBS -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_search_pam_modutil_getpwnam" >&5 -$as_echo "$ac_cv_search_pam_modutil_getpwnam" >&6; } -ac_res=$ac_cv_search_pam_modutil_getpwnam -if test "$ac_res" != no; then : - test "$ac_res" = "none required" || LIBS="$ac_res $LIBS" - $as_echo "#define HAVE_PAM_MODUTIL_GETPWNAM 1" >>confdefs.h - -fi - # Check whether --with-ldap was given. @@ -12997,7 +12940,7 @@ int main () { -ykclient_set_url_bases(0, 0, 0) +ykclient_set_proxy(0, 0) ; return 0; } @@ -13038,7 +12981,7 @@ if test "$ac_cv_libykclient" != yes; then - as_fn_error $? "Libykclient v2.12+ required, see https://developers.yubico.com/yubico-c-client/"; "$LINENO" 5 + as_fn_error $? "Libykclient v2.15+ required, see https://developers.yubico.com/yubico-c-client/"; "$LINENO" 5 fi @@ -14802,7 +14745,7 @@ # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by pam_yubico $as_me 2.21, which was +This file was extended by pam_yubico $as_me 2.22, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -14859,7 +14802,7 @@ cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -pam_yubico config.status 2.21 +pam_yubico config.status 2.22 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pam_yubico-2.21/configure.ac new/pam_yubico-2.22/configure.ac --- old/pam_yubico-2.21/configure.ac 2015-10-08 12:04:18.000000000 +0200 +++ new/pam_yubico-2.22/configure.ac 2016-04-18 20:56:26.000000000 +0200 @@ -26,7 +26,7 @@ # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -AC_INIT([pam_yubico], [2.21], [[email protected]]) +AC_INIT([pam_yubico], [2.22], [[email protected]]) AC_CONFIG_AUX_DIR([build-aux]) AC_CONFIG_MACRO_DIR([m4]) AM_INIT_AUTOMAKE([1.11 foreign -Wall -Werror]) @@ -49,7 +49,6 @@ AC_CHECK_LIB([pam], [pam_start], [AC_SUBST([LIBPAM], ["-lpam"])]) AC_SEARCH_LIBS([pam_modutil_drop_priv], ["pam"], [AC_DEFINE([HAVE_PAM_MODUTIL_DROP_PRIV], [1])]) -AC_SEARCH_LIBS([pam_modutil_getpwnam], ["pam"], [AC_DEFINE([HAVE_PAM_MODUTIL_GETPWNAM], [1])]) AC_ARG_WITH([ldap], [AS_HELP_STRING([--without-ldap], @@ -70,9 +69,9 @@ AC_LIB_HAVE_LINKFLAGS([ykclient],, [#include <ykclient.h>], - [ykclient_set_url_bases(0, 0, 0)]) + [ykclient_set_proxy(0, 0)]) if test "$ac_cv_libykclient" != yes; then - AC_MSG_ERROR([[Libykclient v2.12+ required, see https://developers.yubico.com/yubico-c-client/]]) + AC_MSG_ERROR([[Libykclient v2.15+ required, see https://developers.yubico.com/yubico-c-client/]]) fi AC_LIB_HAVE_LINKFLAGS(yubikey,, [#include <yubikey.h>], diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pam_yubico-2.21/doc/Authentication_Using_Challenge-Response.adoc new/pam_yubico-2.22/doc/Authentication_Using_Challenge-Response.adoc --- old/pam_yubico-2.21/doc/Authentication_Using_Challenge-Response.adoc 2014-11-03 11:23:32.000000000 +0100 +++ new/pam_yubico-2.22/doc/Authentication_Using_Challenge-Response.adoc 2016-02-26 09:35:14.000000000 +0100 @@ -14,7 +14,7 @@ The PAM module supports a system wide directory for these state files (in case the user's home directories are encrypted), but in a system wide directory, the 'challenge' part should be replaced with the -username. Example: `/var/yubico/challenges/alice-123456`. +username. Example: `/var/yubico/alice-123456`. To use the system-wide mode, you currently have to move the generated state files manually and configure the PAM module accordingly. @@ -68,23 +68,27 @@ Stored initial challenge and expected response in '/home/alice/.yubico/challenge-123456'. $ ------ -If your /home/user folder is encrypted you should move the challenge file in a different path (i.e. /etc/yubico) and then set the right permission for the user to create the files. To do this do as follow: +If your /home/user folder is encrypted you should move the challenge file in a different path (i.e. /var/yubico) and then set the right permission for the user to create the files. To do this do as follow: ---- -$ mkdir /etc/yubico -$ chmod +t /etc/yubico -$ chmod 777 /etc/yubico -$ mv /home/user/.yubico/challenge-####### /etc/yubico/username-####### +$ mkdir /var/yubico +$ chmod +t /var/yubico +$ chmod 777 /var/yubico +$ ykpamcfg -2 -v -p /var/yubico ... -It is important that you name the file with the username of the user that is going to use the Yubikey +Stored initial challenge and expected response in '/var/yubico/alice-123456'. +$ ---- + +It is important that the file is named with the name of the user that is going to be authenticated by this YubiKey. + Finally we tell the pam module where to look for the challenge file $ emacs /etc/pam.d/common-auth and edit the following line as follow: - auth required pam_yubico.so mode=challenge-response chalresp_path=/etc/yubico + auth required pam_yubico.so mode=challenge-response chalresp_path=/var/yubico Then back to the PAM configuration step, first make sure you have a root terminal available to be able to disable YubiKey login in case of diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pam_yubico-2.21/pam_yubico.8 new/pam_yubico-2.22/pam_yubico.8 --- old/pam_yubico-2.21/pam_yubico.8 2016-02-18 13:12:48.000000000 +0100 +++ new/pam_yubico-2.22/pam_yubico.8 2016-05-23 09:44:18.000000000 +0200 @@ -2,12 +2,12 @@ .\" Title: pam_yubico .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> -.\" Date: Version 2.21 +.\" Date: Version 2.22 .\" Manual: Yubico PAM Module Manual .\" Source: yubico-pam .\" Language: English .\" -.TH "PAM_YUBICO" "8" "Version 2\&.21" "yubico\-pam" "Yubico PAM Module Manual" +.TH "PAM_YUBICO" "8" "Version 2\&.22" "yubico\-pam" "Yubico PAM Module Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -110,7 +110,7 @@ .PP \fBverbose_otp\fR .RS 4 -This argument is used to show the OTP (One Time Password) when it is entered, i\&.e\&. to enable terminal echo of entered characters\&. You are advised to not use this, if you are using two factor authentication because that will display your password on the screen\&. This requires the service using the PAM module to display custom fields\&. For example, OpenSSH requires you to configure "ChallengeResponseAuthentication no"\&. +This argument is used to show the OTP (One Time Password) when it is entered, i\&.e\&. to enable terminal echo of entered characters\&. You are advised to not use this, if you are using two factor authentication because that will display your password on the screen\&. This requires the service using the PAM module to display custom fields\&. This option can not be used with OpenSSH\&. .RE .PP \fBldap_uri\fR=\fIuri\fR diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pam_yubico-2.21/pam_yubico.8.txt new/pam_yubico-2.22/pam_yubico.8.txt --- old/pam_yubico-2.21/pam_yubico.8.txt 2016-02-18 13:11:05.000000000 +0100 +++ new/pam_yubico-2.22/pam_yubico.8.txt 2016-03-29 11:09:37.000000000 +0200 @@ -54,7 +54,7 @@ Specify a proxy to connect to the validation server. Valid schemes are socks4://, socks4a://, socks5:// or socks5h://. Socks5h asks the proxy to do the dns resolving. If no scheme or port is specified HTTP proxy port 1080 will be used. E.g. socks5h://user:[email protected]:1080 *verbose_otp*:: -This argument is used to show the OTP (One Time Password) when it is entered, i.e. to enable terminal echo of entered characters. You are advised to not use this, if you are using two factor authentication because that will display your password on the screen. This requires the service using the PAM module to display custom fields. For example, OpenSSH requires you to configure "ChallengeResponseAuthentication no". +This argument is used to show the OTP (One Time Password) when it is entered, i.e. to enable terminal echo of entered characters. You are advised to not use this, if you are using two factor authentication because that will display your password on the screen. This requires the service using the PAM module to display custom fields. This option can not be used with OpenSSH. *ldap_uri*=_uri_:: Specify the LDAP server URI (e.g. ldap://localhost). diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pam_yubico-2.21/pam_yubico.c new/pam_yubico-2.22/pam_yubico.c --- old/pam_yubico-2.21/pam_yubico.c 2016-02-19 11:03:52.000000000 +0100 +++ new/pam_yubico-2.22/pam_yubico.c 2016-04-01 09:35:19.000000000 +0200 @@ -157,16 +157,15 @@ else { char *userfile = NULL; - struct passwd *p; + struct passwd pass, *p; + char buf[1024]; + size_t buflen = sizeof(buf); + int pwres; PAM_MODUTIL_DEF_PRIVS(privs); -#ifdef HAVE_PAM_MODUTIL_GETPWNAM - p = pam_modutil_getpwnam (pamh, username); -#else - p = getpwnam (username); -#endif + pwres = getpwnam_r (username, &pass, buf, buflen, &p); if (p == NULL) { - DBG (("getpwnam: %s", strerror(errno))); + DBG (("getpwnam_r: %s", strerror(pwres))); return 0; } @@ -447,7 +446,11 @@ const char *errstr = NULL; - struct passwd *p; + struct passwd pass, *p; + char pwbuf[1024]; + size_t pwbuflen = sizeof(pwbuf); + int pwres; + struct stat st; /* we must declare two sepparate privs structures as they can't be reused */ @@ -466,13 +469,9 @@ goto out; } -#ifdef HAVE_PAM_MODUTIL_GETPWNAM - p = pam_modutil_getpwnam (pamh, username); -#else - p = getpwnam (username); -#endif + pwres = getpwnam_r (username, &pass, pwbuf, pwbuflen, &p); if (p == NULL) { - DBG (("getpwnam: %s", strerror(errno))); + DBG (("getpwnam_r: %s", strerror(pwres))); goto out; } @@ -616,10 +615,14 @@ goto restpriv_out; } - if (fchmod (fd, S_IRUSR | S_IWUSR) != 0) { + if (fchmod (fd, st.st_mode) != 0) { DBG (("could not set correct file permissions")); goto restpriv_out; } + if (fchown (fd, st.st_uid, st.st_gid) != 0) { + DBG (("could not set correct file ownership")); + goto restpriv_out; + } f = fdopen(fd, "w"); if (! f) { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pam_yubico-2.21/ykpamcfg.1 new/pam_yubico-2.22/ykpamcfg.1 --- old/pam_yubico-2.21/ykpamcfg.1 2016-02-18 13:12:48.000000000 +0100 +++ new/pam_yubico-2.22/ykpamcfg.1 2016-05-23 09:44:17.000000000 +0200 @@ -2,12 +2,12 @@ .\" Title: ykpamcfg .\" Author: [FIXME: author] [see http://docbook.sf.net/el/author] .\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/> -.\" Date: Version 2.21 +.\" Date: Version 2.22 .\" Manual: Yubico PAM Module Manual .\" Source: yubico-pam .\" Language: English .\" -.TH "YKPAMCFG" "1" "Version 2\&.21" "yubico\-pam" "Yubico PAM Module Manual" +.TH "YKPAMCFG" "1" "Version 2\&.22" "yubico\-pam" "Yubico PAM Module Manual" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/pam_yubico-2.21/ykpamcfg.c new/pam_yubico-2.22/ykpamcfg.c --- old/pam_yubico-2.21/ykpamcfg.c 2015-09-09 08:24:50.000000000 +0200 +++ new/pam_yubico-2.22/ykpamcfg.c 2016-04-01 09:35:19.000000000 +0200 @@ -145,6 +145,7 @@ char *fn; struct passwd *p; FILE *f = NULL; + struct stat st; state.iterations = iterations; state.slot = slot; @@ -162,7 +163,6 @@ */ if (!output_dir){ - struct stat st; char fullpath[256]; snprintf(fullpath, 256,"%s/.yubico",p->pw_dir); @@ -190,6 +190,11 @@ goto out; } + if (stat(fn, &st) == 0) { + fprintf(stderr, "File %s already exists, refusing to overwrite.\n", fn); + goto out; + } + if (generate_random(state.challenge, CR_CHALLENGE_SIZE)) { fprintf (stderr, "FAILED getting %i bytes of random data\n", CR_CHALLENGE_SIZE); goto out; @@ -240,6 +245,11 @@ if (! write_chalresp_state (f, &state)) goto out; + if (! chmod (fn, S_IRUSR | S_IWUSR)) { + fprintf (stderr, "Failed setting permissions on new challenge file %s.\n", fn); + goto out; + } + printf ("Stored initial challenge and expected response in '%s'.\n", fn); *exit_code = 0;
