On Sun, Jan 05, 2014 at 06:44:22PM -0600, Kent R. Spillner wrote: > Still haven't tested, but I also saw: > > > + password_pwd = malloc(password_pwd_len + 1); /* +1 for \0 */ > > + > > + /* extract the password */ > > + for ( cnt = 0 ; cnt < password_pwd_len ; cnt++ ) > > + password_pwd[cnt] = password[cnt]; > > + password_pwd[password_pwd_len] = '\0'; > > > Use strlcpy, don't roll your own.
Yes, that's better. > > + /* copy last 44 bytes (yubikey one-time password) */ > > + for ( cnt = 0 ; cnt + password_pwd_len < strlen(password) ; cnt++ ) > > + password_yubikey[cnt] = password[cnt+password_pwd_len]; > > If you made password_yubikey char[45] instead of char[44] then you could do: > > char *temp = password + password_pwd_len; > strlcpy(password_yubikey, temp, 45); This way I don't even have to copy the string. Having password_yubikey pointing to the right position is sufficient. New diff, but don't use it. It will log you in with a wrong one-time password as long as the password is correct. Index: Makefile =================================================================== RCS file: /cvs/src/libexec/Makefile,v retrieving revision 1.54 diff -u -p -r1.54 Makefile --- Makefile 4 Dec 2013 20:49:28 -0000 1.54 +++ Makefile 3 Jan 2014 23:54:18 -0000 @@ -5,8 +5,8 @@ SUBDIR= comsat fingerd ftpd getty ld.so lockspool login_chpass \ login_lchpass login_passwd login_radius login_reject \ - login_skey login_tis login_token login_yubikey mail.local \ - makewhatis rpc.rquotad rpc.rstatd rpc.rusersd rpc.rwalld \ + login_skey login_tis login_token login_yubikey login_yubikey-and-pwd \ + mail.local makewhatis rpc.rquotad rpc.rstatd rpc.rusersd rpc.rwalld \ rpc.sprayd rshd security spamd spamd-setup spamlogd talkd \ tcpd uucpd Index: login_yubikey/login_yubikey.c =================================================================== RCS file: /cvs/src/libexec/login_yubikey/login_yubikey.c,v retrieving revision 1.8 diff -u -p -r1.8 login_yubikey.c --- login_yubikey/login_yubikey.c 27 Nov 2013 21:25:25 -0000 1.8 +++ login_yubikey/login_yubikey.c 6 Jan 2014 06:30:38 -0000 @@ -54,6 +54,12 @@ #define AUTH_OK 0 #define AUTH_FAILED -1 +#ifdef PASSWD +#include <util.h> +#include <common.h> +FILE *back = NULL; +#endif + static const char *path = "/var/db/yubikey"; static int clean_string(const char *); @@ -67,6 +73,13 @@ main(int argc, char *argv[]) char *username, *password = NULL; char response[1024]; +#ifdef PASSWD + int pwd_len, ret_yubi; + char *password_pwd = NULL, *password_yubikey = NULL; + char *wheel = NULL, *class = NULL; + int lastchance = 0; +#endif + setpriority(PRIO_PROCESS, 0, 0); openlog(NULL, LOG_ODELAY, LOG_AUTH); @@ -151,7 +164,36 @@ main(int argc, char *argv[]) } } +#ifndef PASSWD ret = yubikey_login(username, password); +#endif +#ifdef PASSWD + /* + * XXX this is bad because pwd_login writes to back and makes + * the login successful if pwd_login succeeds even if yubikey + * auth fails! + */ + back = f; + + /* the string generated by yubikey is 44 bytes + \0 */ + pwd_len = strlen(password) - 44 + 1; + password_pwd = malloc(pwd_len); + + /* extract the password */ + strlcpy(password_pwd, password, pwd_len); + + /* the yubikey one-time password is located right after the password */ + password_yubikey = password + pwd_len; + + ret = pwd_login(username, password_pwd, wheel, lastchance, class); + ret_yubi = yubikey_login(username, password_yubikey); + if (ret_yubi != AUTH_OK) + ret = AUTH_FAILED; + + memset(password_pwd, 0, strlen(password_pwd)); + free(password_pwd); +#endif + memset(password, 0, strlen(password)); if (ret == AUTH_OK) { syslog(LOG_INFO, "user %s: authorize", username); Index: login_yubikey-and-pwd/Makefile =================================================================== RCS file: login_yubikey-and-pwd/Makefile diff -N login_yubikey-and-pwd/Makefile --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ login_yubikey-and-pwd/Makefile 4 Jan 2014 01:18:49 -0000 @@ -0,0 +1,23 @@ +# $OpenBSD$ + +.include <bsd.own.mk> + +PROG= login_yubikey-and-pwd +MAN= ${PROG}.8 +SRCS= login_passwd.c pwd_gensalt.c +SRCS+= login_yubikey.c yubikey.c +DPADD= ${LIBUTIL} +LDADD+= -lutil + +CFLAGS+=-DPASSWD -Wall +CFLAGS+=-I${.CURDIR}/../login_passwd +CFLAGS+=-I${.CURDIR}/../../usr.bin/passwd + +.PATH: ${.CURDIR}/../login_passwd ${.CURDIR}/../../usr.bin/passwd ${.CURDIR}/../login_yubikey + +BINOWN= root +BINGRP= auth +BINMODE=2555 +BINDIR= /usr/libexec/auth + +.include <bsd.prog.mk> Index: login_yubikey-and-pwd/login_yubikey-and-pwd.8 =================================================================== RCS file: login_yubikey-and-pwd/login_yubikey-and-pwd.8 diff -N login_yubikey-and-pwd/login_yubikey-and-pwd.8 --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ login_yubikey-and-pwd/login_yubikey-and-pwd.8 3 Jan 2014 23:46:57 -0000 @@ -0,0 +1,96 @@ +.\" $OpenBSD$ +.\" +.\" Copyright (c) 2010 Daniel Hartmeier <dan...@benzedrine.cx> +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" +.\" - Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" - Redistributions in binary form must reproduce the above +.\" copyright notice, this list of conditions and the following +.\" disclaimer in the documentation and/or other materials provided +.\" with the distribution. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +.\" "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +.\" LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +.\" FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +.\" COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, +.\" INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, +.\" BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +.\" LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER +.\" CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN +.\" ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE +.\" POSSIBILITY OF SUCH DAMAGE. +.\" +.Dd $Mdocdate: January 4 2014 $ +.Dt LOGIN_YUBIKEY-AND-PWD 8 +.Os +.Sh NAME +.Nm login_yubikey-and-pwd +.Nd provide combined YubiKey and password authentication type +.Sh SYNOPSIS +.Nm login_yubikey-and-pwd +.Op Fl dv +.Op Fl s Ar service +.Ar user +.Op Ar class +.Sh DESCRIPTION +The +.Nm +utility is called by +.Xr login 1 , +.Xr su 1 , +.Xr ftpd 8 , +and others to authenticate the +.Ar user +via a combination of password authentication and a YubiKey one-time +password. +.Pp +The options are as follows: +.Bl -tag -width indent +.It Fl d +Debug mode. +Output is sent to the standard output instead of the +.Bx +Authentication backchannel. +.It Fl s Ar service +Specify the service. +Currently, only +.Li challenge , +.Li login , +and +.Li response +are supported. +The default protocol is +.Em login . +.It Fl v +This option and its value are ignored. +.El +.Pp +The +.Ar user +argument is the login name of the user to be authenticated. +.Pp +The optional +.Ar class +argument is accepted for consistency with the other login scripts but +is not used. +.Pp +The user is prompted for a password which must be the conventional password +and the one-time password from the YubiKey without any separators inbetween. +.Pp +The conventional password is validated as per +.Xr login_passwd 8 +and the one-time password is validated as per +.Xr login_yubikey 8 . +.El +.Sh SEE ALSO +.Xr login 1 , +.Xr login.conf 5 , +.Xr login_passwd 8 , +.Xr login_yubikey 8