diff options
| author | Bennett Samowich <bennett@foolean.org> | 2014-06-15 21:23:34 -0400 |
|---|---|---|
| committer | Bennett Samowich <bennett@foolean.org> | 2014-06-17 17:00:11 -0400 |
| commit | 9a1ee796634504a6f26a08fb8731c1d032dba9f2 (patch) | |
| tree | fd5635f79fbbe5b33391869cffe06f7a59061ff5 | |
| parent | 6599d28d9df0bf0739c2c66468216f3a60127b1b (diff) | |
| download | libpam-radius-auth-9a1ee796634504a6f26a08fb8731c1d032dba9f2.tar.gz libpam-radius-auth-9a1ee796634504a6f26a08fb8731c1d032dba9f2.zip | |
Added 'prompt' option
| -rw-r--r-- | USAGE | 8 | ||||
| -rw-r--r-- | src/pam_radius_auth.c | 19 | ||||
| -rw-r--r-- | src/pam_radius_auth.h | 4 |
3 files changed, 29 insertions, 2 deletions
@@ -83,5 +83,13 @@ accounting_bug - When used, the accounting response vector is NOT validated. This option will probably only be necessary on REALLY OLD (i.e. Livingston 1.16) servers. +prompt=string - Specifies the prompt, without the ': ', that PAM should + display when prompting for the password. This is useful + when using hardware tokens as part of multi-factor + authentication and presenting the same prompt twice would + confuse users. Use prompt=TokenCode (or some other + relevant string different from Password) in this + situation. + --------------------------------------------------------------------------- diff --git a/src/pam_radius_auth.c b/src/pam_radius_auth.c index 887ee1e..d1ef370 100644 --- a/src/pam_radius_auth.c +++ b/src/pam_radius_auth.c @@ -95,6 +95,9 @@ static int _pam_parse(int argc, CONST char **argv, radius_conf_t *conf) strcpy(conf_file, CONF_FILE); + /* set the default prompt */ + snprintf(conf->prompt, MAXPROMPT, "%s: ", DEFAULT_PROMPT); + /* * If either is not there, then we can't parse anything. */ @@ -140,6 +143,18 @@ static int _pam_parse(int argc, CONST char **argv, radius_conf_t *conf) ctrl |= PAM_DEBUG_ARG; conf->debug = 1; + } else if (!strncmp(*argv, "prompt=", 7)) { + if (!strncmp(conf->prompt, (char*)*argv+7, MAXPROMPT)) { + _pam_log(LOG_WARNING, "ignoring duplicate '%s'", *argv); + } else { + /* truncate excessive prompts to (MAXPROMPT - 3) length */ + if (strlen((char*)*argv+7) >= (MAXPROMPT - 3)) { + *((char*)*argv+7 + (MAXPROMPT - 3)) = 0; + } + /* set the new prompt */ + memset(conf->prompt, 0, sizeof(conf->prompt)); + snprintf(conf->prompt, MAXPROMPT, "%s: ", (char*)*argv+7); + } } else { _pam_log(LOG_WARNING, "unrecognized option '%s'", *argv); } @@ -1123,7 +1138,7 @@ PAM_EXTERN int pam_sm_authenticate(pam_handle_t *pamh,int flags,int argc,CONST c /* check to see if we send a NULL password the first time around */ if (!(ctrl & PAM_SKIP_PASSWD)) { - retval = rad_converse(pamh, PAM_PROMPT_ECHO_OFF, "Password: ", &password); + retval = rad_converse(pamh, PAM_PROMPT_ECHO_OFF, config.prompt, &password); PAM_FAIL_CHECK; } @@ -1406,7 +1421,7 @@ PAM_EXTERN int pam_sm_chauthtok(pam_handle_t *pamh, int flags, int argc, CONST c /* preliminary password change checks. */ if (flags & PAM_PRELIM_CHECK) { if (!password) { /* no previous password: ask for one */ - retval = rad_converse(pamh, PAM_PROMPT_ECHO_OFF, "Password: ", &password); + retval = rad_converse(pamh, PAM_PROMPT_ECHO_OFF, config.prompt, &password); PAM_FAIL_CHECK; } diff --git a/src/pam_radius_auth.h b/src/pam_radius_auth.h index 5358764..b1ade51 100644 --- a/src/pam_radius_auth.h +++ b/src/pam_radius_auth.h @@ -39,6 +39,9 @@ #include "radius.h" #include "md5.h" +/* Defaults for the prompt option */ +#define MAXPROMPT 33 /* max prompt length, including '\0' */ +#define DEFAULT_PROMPT "Password" /* default prompt, without the ': ' */ /************************************************************************* * Additional RADIUS definitions @@ -69,6 +72,7 @@ typedef struct radius_conf_t { int accounting_bug; int sockfd; int debug; + char prompt[MAXPROMPT]; } radius_conf_t; |