isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
4,329 Commits 1 Branch 0 Tags
c5513388e0a1d7d2c44c12912d9d3485fc87cd36
Commit Graph

164 Commits

Author SHA1 Message Date
Todd C. Miller
f492e53056 Add bsm audit support from Christian S.J. Peron 2009-02-11 01:18:02 +00:00
Todd C. Miller
743c624954 Return PAM_AUTH_ERR instead of PAM_CONV_ERR if user enters ^C at the 
password prompt.
 2008-12-09 23:48:19 +00:00
Todd C. Miller
02a894a09c Use HAVE_SIA_SES_INIT instead of HAVE_SIA for Digital UNIX 2008-12-02 17:30:39 +00:00
Todd C. Miller
c3d3db62f4 MacOS pam will retry conversation function if it fails so just treat 
^C as an empty password.
 2008-11-22 18:17:44 +00:00
Todd C. Miller
875b888da6 add proto for aixauth_cleanup; from Dale King 2008-11-18 12:54:51 +00:00
Todd C. Miller
840acbd3ac Update copyright years. 2008-11-09 14:13:13 +00:00
Todd C. Miller
ff175f7f0a No longer treat an empty password at the prompt as special. To 
quit out of sudo you now need to hit ^C at the password prompt.
 2008-11-07 17:45:52 +00:00
Todd C. Miller
51fae2c9c3 Move clearing of AUTHSTATE into aixauth_cleanup. 2008-11-06 00:14:45 +00:00
Todd C. Miller
50d8974753 Unset AUTHSTATE after calling authenticate() as it may not be correct for 
the user we are running the command as.
 2008-11-06 00:08:24 +00:00
Todd C. Miller
13e2ccea68 Newer heimdal has 2-argument krb5_get_init_creds_opt_free() like MIT krb5. 
Really old heimdal has no krb5_get_init_creds_opt_alloc() at all.  Add
configure tests to handle all the cases.
 2008-10-23 16:06:23 +00:00
Todd C. Miller
d43f00c182 remove useless cast 2008-03-30 21:36:51 +00:00
Todd C. Miller
ee04914164 Add support for running a helper program to read the password when 
no tty is present (or when specified with the -A flag).  TODO: docs.
 2008-03-02 14:31:57 +00:00
Todd C. Miller
48eee67e55 Only set std_prompt for the PAM_PROMPT_* cases. The conversation function 
may be called for non-password reading purposes so we must be careful
not to use def_prompt in cases where it may not be set.
 2008-02-22 20:19:34 +00:00
Todd C. Miller
dd2c345be9 Avoid Heimdal'isms introduced in the rev 1.32 rewrite of verify_krb_v5_tgt() 2008-02-13 22:17:14 +00:00
Todd C. Miller
0851d77f10 Delay krb5_cc_initialize() until we actually need to use the cred cache, 
which is what krb5_verify_user() does.
Better cleanup on failure.
 2008-01-13 14:49:43 +00:00
Todd C. Miller
584ab252d7 Rewrite verify_krb_v5_tgt() based on what heimdal's krb5_verify_user() does. 2008-01-12 17:40:43 +00:00
Todd C. Miller
74c5dc4fad Add passprompt_override flag to sudoers that will cause the prompt 
to be overridden in all cases.  This flag is also set when the
user specifies the -p flag.
 2007-12-02 17:13:48 +00:00
Todd C. Miller
8694c73146 Add basic support for looking up the string "Password: " in the PAM 
localized text db.  This allows us to determine whether the PAM
prompt is the default "Password: " one even if it has been localized.

TODO: concatenate non-std PAM prompts and user-specified sudo prompts.
 2007-12-01 16:22:25 +00:00
Todd C. Miller
5a04b3ff9d Add --disable-pam-session configure option to disable calling 
pam_{open,close}_session.  May work around bugs in some PAM
implementations.
 2007-10-09 00:04:48 +00:00
Todd C. Miller
4f5e88532f PAM wants the full tty path so add user_ttypath which holds the 
full path to the tty or is NULL if no tty was present.
 2007-09-13 23:05:34 +00:00
Todd C. Miller
bb07eea18f Set PAM_RHOST to work around a bug in Solaris 7 and lower that 
results in a segv.
 2007-09-13 22:42:15 +00:00
Todd C. Miller
c572e31ff5 Remove call to krb5_cc_register() as it is not needed for modern kerb5. 2007-09-05 22:39:55 +00:00
Todd C. Miller
19fa259480 Remove support for compilers that don't support void * 2007-08-31 23:30:07 +00:00
Todd C. Miller
42ac4fb2cf Run cleanup code if the user hits ^C at the password prompt. 2007-07-22 12:14:18 +00:00
Todd C. Miller
b166928bac Some versions of pam_lastlog have a bug that will cause a crash if 
PAM_TTY is not set so if there is no tty, set PAM_TTY to the empty
string.
 2007-07-22 12:13:07 +00:00
Todd C. Miller
fd7a9af876 free message if set by authenticate() 2007-06-21 22:28:40 +00:00
Todd C. Miller
fc38e7c21e o use krb5_verify_user() if available instead of doing it by hand 
o use krb5_init_secure_context() if we have it
 o pass an encryption type of 0 to krb5_kt_read_service_key() instead of
   ENCTYPE_DES_CBC_MD5 to let kerberos choose.
 2007-06-09 11:24:49 +00:00
Todd C. Miller
8d97321150 If we cannot get a valid service key using the default keytab it 
is a fatal error.  Fixes a bug where sudo could be tricked into
allowing access when it should not by a fake KDC.
From Thor Lancelot Simon.
 2007-06-07 11:22:22 +00:00
Todd C. Miller
f2433e0368 Linux PAM now defines __LINUX_PAM__, not __LIBPAM_VERSION. 
From Dmitry V. Levin.
 2007-04-20 16:40:59 +00:00
Todd C. Miller
8d97a8d20f If the user enters ^C at the password prompt, abort instead of 
trying to authenticate with an empty password (which causes an
annoying delay).
 2006-09-29 14:53:42 +00:00
Todd C. Miller
26523a7ce6 Fix securid5 authentication, was not checking for ACM_OK. Also add 
default cases for the two switch()es.  Problem noted by ccon at worldbank
 2005-07-28 01:14:14 +00:00
Todd C. Miller
d281ff77e2 Fix call to pam_end() when pam_open_session() fails. 2005-06-25 18:29:17 +00:00
Todd C. Miller
d3b45ae3f1 Call pam_open_session() and pam_close_session() to give pam_limits a 
chance to run.  Idea from Karel Zak.
 2005-05-27 05:59:02 +00:00
Todd C. Miller
d857334e61 The component in krb5_principal_get_comp_string() should be 1, not 0 
for Heimdal.  From Alex Plotnick.
 2005-03-30 04:38:25 +00:00
Todd C. Miller
778d587063 Update copyright years. 2005-02-12 22:56:07 +00:00
Todd C. Miller
6548e82f20 Give user a clue when there is a missing "account" section in the PAM config. 2005-02-05 18:01:55 +00:00
Todd C. Miller
e6f51aa1af Better error handling. 2005-02-05 15:22:46 +00:00
Todd C. Miller
f7adbaddce Fix typo (missing comma) that caused an incorrect number of args 
to be passed to log_error().
 2005-02-05 02:49:53 +00:00
Todd C. Miller
3b8b88407f Add __unused to rcsids 2005-01-27 15:42:30 +00:00
Todd C. Miller
2dc559bf3e s/HAVE_AUTHENTICATE/HAVE_AIXAUTH/g 2005-01-21 15:29:55 +00:00
Todd C. Miller
2c2daa8eca Use: #include <config.h> 
Not: #include "config.h"
That way we get the correct config.h when build dir != src dir
 2004-11-19 18:39:14 +00:00
Todd C. Miller
a414762c4e Add local error/warning functions like err/warn but that call an additional 
cleanup routine in the error case.  This means we no longer need to compile
a special version of alloc.o for visudo.
 2004-11-19 17:24:20 +00:00
Todd C. Miller
529d2d200e Use pam_acct_mgmt() to check for disabled accounts; Brian Farrell 2004-06-28 14:51:50 +00:00
Todd C. Miller
ecdfa6373f update (c) year 2004-06-07 00:02:56 +00:00
Todd C. Miller
8268535ccc update (c) year 2004-06-07 00:02:56 +00:00
Todd C. Miller
77791e7ab3 Remove trailing spaces, no actual code changes. 2004-06-06 23:58:15 +00:00
Todd C. Miller
631cbc2857 krb5_mcc_ops should be const; Johnny C. Lam 2004-03-22 18:35:09 +00:00
Todd C. Miller
d2fa9af02d More to a less restrictive, ISC-style license. 2004-02-13 21:36:49 +00:00
Todd C. Miller
56b5cbc899 More to a less restrictive, ISC-style license. 2004-02-13 21:36:47 +00:00
Todd C. Miller
1a1009c060 More to a less restrictive, ISC-style license. 2004-02-13 21:36:47 +00:00