auth API change. There is now an init method that gets run before

the main loop.  This allows auth routines to differentiate between
initialization that happens once vs. setup that needs to run each time
through the loop.

auth/fwtk.c

@@ -54,7 +54,7 @@ static const char rcsid[] = "$Sudo$";
 #endif /* lint */
 
 int
-fwtk_setup(pw, promptp, data)
+fwtk_init(pw, promptp, data)
     struct passwd *pw;
     char **promptp;
     void **data;
@@ -62,9 +62,6 @@ fwtk_setup(pw, promptp, data)
     static Cfg *confp;			/* Configuration entry struct */
     char resp[128];			/* Response from the server */
 
-    if (confp)
-	return(AUTH_SUCCESS);		/* Already initialized */
-
     if ((confp = cfg_read("sudo")) == (Cfg *)-1) {
 	(void) fprintf(stderr, "%s: cannot read fwtk config.\n", Argv[0]);
 	return(AUTH_FATAL);

auth/kerb4.c

@@ -53,16 +53,13 @@ static const char rcsid[] = "$Sudo$";
 #endif /* lint */
 
 int
-kerb4_setup(pw, promptp, data)
+kerb4_init(pw, promptp, data)
     struct passwd *pw;
     char **promptp;
     void **data;
 {
     static char realm[REALM_SZ];
 
-    if (*data)
-	return(AUTH_SUCCESS);		/* Already initialized */
-
     /* Don't try to verify root */
     if (pw->pw_uid == 0)
 	return(AUTH_FAILURE);

auth/kerb5.c

@@ -62,7 +62,7 @@ static krb5_context sudo_context = NULL;
 static int verify_krb_v5_tgt __P((krb5_ccache));
 
 int
-kerb5_setup(pw, promptp, data)
+kerb5_init(pw, promptp, data)
     struct passwd *pw;
     char **promptp;
     void **data;
@@ -71,9 +71,6 @@ kerb5_setup(pw, promptp, data)
     krb5_error_code retval;
     extern int arg_prompt;
 
-    if (*data)
-	return(AUTH_SUCCESS);		/* Already initialized */
-
     /* XXX - make these errors non-fatal for better fallback? */
     if (retval = krb5_init_context(&sudo_context)) {
 	/* XXX - how to map retval to error string? */

auth/pam.c

@@ -58,7 +58,7 @@ static int sudo_conv __P((int, PAM_CONST struct pam_message **,
 static char *def_prompt;
 
 int
-pam_setup(pw, promptp, data)
+pam_init(pw, promptp, data)
     struct passwd *pw;
     char **promptp;
     void **data;
@@ -66,9 +66,6 @@ pam_setup(pw, promptp, data)
     static struct pam_conv pam_conv;
     pam_handle_t *pamh;
 
-    if (*data)
-	return(AUTH_SUCCESS);		/* Already initialized */
-
     /* Initial PAM setup */
     pam_conv.conv = sudo_conv;
     if (pam_start("sudo", pw->pw_name, &pam_conv, &pamh) != PAM_SUCCESS) {

auth/rfc1938.c

@@ -106,7 +106,7 @@ rfc1938_setup(pw, promptp, data)
 #endif /* OTP_ONLY */
     }
 
-    /* Get space for new prompt with embedded S/Key challenge */
+    /* Get space for new prompt with embedded challenge */
     if (np_size < op_len + strlen(challenge) + 7) {
 	np_size = op_len + strlen(challenge) + 7;
 	new_prompt = (char *) erealloc(new_prompt, np_size);

auth/secureware.c

@@ -58,7 +58,7 @@ static const char rcsid[] = "$Sudo$";
 #endif /* lint */
 
 int
-secureware_setup(pw, promptp, data)
+secureware_init(pw, promptp, data)
     struct passwd *pw;
     char **promptp;
     void **data;

auth/securid.c

@@ -60,6 +60,17 @@ static const char rcsid[] = "$Sudo$";
 
 union config_record configure;
 
+int
+securid_init(pw, promptp, data)
+    struct passwd *pw;
+    char **promptp;
+    void **data;
+{
+
+    creadcfg();					/* Only read config file once */
+    return(AUTH_SUCCESS);
+}
+
 int
 securid_setup(pw, promptp, data)
     struct passwd *pw;
@@ -68,10 +79,7 @@ securid_setup(pw, promptp, data)
 {
     static SD_CLIENT sd_dat;			/* SecurID data block */
 
-    if (!*data)
-	creadcfg();				/* Only read config file once */
-
-    /* Initialize SecurID every time. */
+    /* Re-initialize SecurID every time. */
     *data = &sd_dat;
     if (sd_init(sd) == 0)
 	return(AUTH_SUCCESS);

auth/sudo_auth.c

@@ -59,25 +59,25 @@ sudo_auth auth_switch[] = {
     AUTH_STANDALONE
 #else
 #  ifndef WITHOUT_PASSWD
-    AUTH_ENTRY(0, "passwd", NULL, passwd_verify, NULL)
+    AUTH_ENTRY(0, "passwd", NULL, NULL, passwd_verify, NULL)
 #  endif
 #  if defined(HAVE_SECUREWARE) && !defined(WITHOUT_PASSWD)
-    AUTH_ENTRY(0, "secureware", secureware_setup, secureware_verify, NULL)
+    AUTH_ENTRY(0, "secureware", secureware_init, NULL, secureware_verify, NULL)
 #  endif
 #  ifdef HAVE_AFS
-    AUTH_ENTRY(1, "afs", NULL, afs_verify, NULL)
+    AUTH_ENTRY(1, "afs", NULL, NULL, afs_verify, NULL)
 #  endif
 #  ifdef HAVE_KERB4
-    AUTH_ENTRY(1, "kerb4", kerb4_setup, kerb4_verify, NULL)
+    AUTH_ENTRY(1, "kerb4", kerb4_init, NULL, kerb4_verify, NULL)
 #  endif
 #  ifdef HAVE_KERB5
-    AUTH_ENTRY(1, "kerb5", kerb5_setup, kerb5_verify, NULL)
+    AUTH_ENTRY(1, "kerb5", kerb5_init, NULL, kerb5_verify, NULL)
 #  endif
 #  if defined(HAVE_SKEY)  || defined(HAVE_OPIE)
-    AUTH_ENTRY(1, "skey", rfc1938_setup, rfc1938_verify, NULL)
+    AUTH_ENTRY(1, "rfc1938", NULL, rfc1938_setup, rfc1938_verify, NULL)
 #  endif
 #endif /* AUTH_STANDALONE */
-    AUTH_ENTRY(0, NULL, NULL, NULL, NULL)
+    AUTH_ENTRY(0, NULL, NULL, NULL, NULL, NULL)
 };
 
 int nil_pw;		/* I hate resorting to globals like this... */
@@ -90,6 +90,23 @@ verify_user()
     char *p;
     sudo_auth *auth;
 
+    /* Initialize auth methods and unconfigure the method if necessary. */
+    for (auth = auth_switch; auth->name; auth++) {
+	if (auth->init && auth->configured) {
+	    if (auth->need_root)
+		set_perms(PERM_ROOT, 0);
+
+	    status = (auth->init)(sudo_user.pw, &user_prompt, &auth->data);
+	    if (status == AUTH_FAILURE)
+		auth->configured = 0;
+	    else if (status == AUTH_FATAL)	/* XXX log */
+		exit(1);		/* assume error msg already printed */
+
+	    if (auth->need_root)
+		set_perms(PERM_USER, 0);
+	}
+    }
+
     while (--counter) {
 	/* Do any per-method setup and unconfigure the method if needed */
 	for (auth = auth_switch; auth->name; auth++) {

auth/sudo_auth.h

@@ -40,16 +40,17 @@ typedef struct sudo_auth {
     int status;			/* status from verify routine */
     char *name;
     void *data;			/* method-specific data pointer */
+    int (*init) __P((struct passwd *pw, char **prompt, void **data));
     int (*setup) __P((struct passwd *pw, char **prompt, void **data));
     int (*verify) __P((struct passwd *pw, char *p, void **data));
     int (*cleanup) __P((struct passwd *pw, int status, void **data));
 } sudo_auth;
 
 /* Prototypes for standalone methods */
-int fwtk_setup __P((struct passwd *pw, char **prompt, void **data));
+int fwtk_init __P((struct passwd *pw, char **prompt, void **data));
 int fwtk_verify __P((struct passwd *pw, char *prompt, void **data));
 int fwtk_cleanup __P((struct passwd *pw, int status, void **data));
-int pam_setup __P((struct passwd *pw, char **prompt, void **data));
+int pam_init __P((struct passwd *pw, char **prompt, void **data));
 int pam_verify __P((struct passwd *pw, char *prompt, void **data));
 int pam_cleanup __P((struct passwd *pw, int status, void **data));
 int sia_setup __P((struct passwd *pw, char **prompt, void **data));
@@ -60,41 +61,44 @@ int dce_verify __P((struct passwd *pw, char *pass, void **data));
 
 /* Prototypes for normal methods */
 int passwd_verify __P((struct passwd *pw, char *pass, void **data));
-int secureware_setup __P((struct passwd *pw, char **prompt, void **data));
+int secureware_init __P((struct passwd *pw, char **prompt, void **data));
 int secureware_verify __P((struct passwd *pw, char *pass, void **data));
 int rfc1938_setup __P((struct passwd *pw, char **prompt, void **data));
 int rfc1938_verify __P((struct passwd *pw, char *pass, void **data));
 int afs_verify __P((struct passwd *pw, char *pass, void **data));
-int kerb4_setup __P((struct passwd *pw, char **prompt, void **data));
+int kerb4_init __P((struct passwd *pw, char **prompt, void **data));
 int kerb4_verify __P((struct passwd *pw, char *pass, void **data));
-int kerb5_setup __P((struct passwd *pw, char **prompt, void **data));
+int kerb5_init __P((struct passwd *pw, char **prompt, void **data));
 int kerb5_verify __P((struct passwd *pw, char *pass, void **data));
+int securid_init __P((struct passwd *pw, char **prompt, void **data));
+int securid_setup __P((struct passwd *pw, char **prompt, void **data));
+int securid_verify __P((struct passwd *pw, char *pass, void **data));
 
-/* Fields: need_root, name, setup, verify, cleanup */
-#define AUTH_ENTRY(r, n, s, v, c) { r, 1, AUTH_FAILURE, n, NULL, s, v, c },
+/* Fields: need_root, name, init, setup, verify, cleanup */
+#define AUTH_ENTRY(r, n, i, s, v, c) { r, 1, AUTH_FAILURE, n, NULL, i, s, v, c },
 
 /* Some methods cannots (or should not) interoperate with any others */
 #if defined(HAVE_PAM)
 #  define AUTH_STANDALONE \
-	AUTH_ENTRY(1, "pam", pam_setup, pam_verify, pam_cleanup)
+	AUTH_ENTRY(1, "pam", pam_init, NULL, pam_verify, pam_cleanup)
 #elif defined(HAVE_SECURID)
 #  define AUTH_STANDALONE \
-	AUTH_ENTRY(1, "SecurId", securid_setup, securid_verify, NULL)
+	AUTH_ENTRY(1, "SecurId", securid_init, securid_setup, securid_verify, NULL)
 #elif defined(HAVE_SIA)
 #  define AUTH_STANDALONE \
-	AUTH_ENTRY(1, "sia", sia_setup, sia_verify, sia_cleanup)
+	AUTH_ENTRY(1, "sia", NULL, sia_setup, sia_verify, sia_cleanup)
 #elif defined(HAVE_DCE)
 #  define AUTH_STANDALONE \
-	AUTH_ENTRY(1, "dce", NULL, dce_verify, NULL)
+	AUTH_ENTRY(1, "dce", NULL, NULL, dce_verify, NULL)
 #elif defined(HAVE_AUTHENTICATE)
 #  define AUTH_STANDALONE \
-	AUTH_ENTRY(1, "aixauth", NULL, aixauth_verify, NULL)
+	AUTH_ENTRY(1, "aixauth", NULL, NULL, aixauth_verify, NULL)
 #elif defined(HAVE_FWTK)
 #  define AUTH_STANDALONE \
-	AUTH_ENTRY(1, "fwtk", fwtk_setup, fwtk_verify, fwtk_cleanup)
+	AUTH_ENTRY(1, "fwtk", fwtk_init, NULL, fwtk_verify, fwtk_cleanup)
 #elif defined(OTP_ONLY) && (defined(HAVE_SKEY) || defined(HAVE_OPIE))
 #  define AUTH_STANDALONE \
-	AUTH_ENTRY(1, "rfc1938", rfc1938_setup, rfc1938_verify, NULL)
+	AUTH_ENTRY(1, "rfc1938", NULL, rfc1938_setup, rfc1938_verify, NULL)
 #  define AUTH_STANDALONE_GETPASS
 #endif