9fans archive / 1998 / 08 / 63 /    prev next

From: Russ Cox rsc@pla...
Subject: No subject
Date: Thu, 27 Aug 1998 10:08:26 -0400

a slightly more elegant way is to just always do challenge
response, and fire up netkey when you want to use a password.

having su accept a password encourages people to type their
passwords over the network.  if netkey is the only thing
that accepts passwords (aside from the boot process), then
you only have to worry about training users not to run netkey
remotely.

i've been using the following for quite a while.  i think
it's a cross between something i wrote and something tom killian wrote.

it accepts a -n option to say don't reinitialize the namespace,
and a -c option to specify a command to run instead of a shell.

#include <u.h>
#include <libc.h>
#include <auth.h>

int	debug;
Chalstate chal;
char	response[NETCHLEN];
int	nflag;

void
main(int argc, char **argv)
{
	int fd, r;
	char *cmd = nil;

	ARGBEGIN{
	case 'n':
		++nflag;
		break;
	case 'c':
		cmd = ARGF();
		break;
	case 'D':
		++debug;
		break;
	}ARGEND
	if(argc != 1){
		fprint(2, "usage: %s [-n] [-c cmd] user\n", argv0);
		exits("usage");
	}
	if(strcmp(argv[0], "none") == 0){
		fd = open("/dev/user", ORDWR);
		if(fd < 0){
			fprint(2, "%s: can't open /dev/user: %r\n", argv0);
			exits("Sorry");
		}
		r = write(fd, "none", 4);
		close(fd);
		if(r < 0){
			fprint(2, "%s: can't write /dev/user: %r\n", argv0);
			exits("Sorry");
		}
	}else{
		r = getchal(&chal, argv[0]);
		if(r < 0){
			fprint(2, "%s: %r\n", argv0);
			exits("Sorry");
		}
		print("challenge: %s\nresponse: ", chal.chal);
		read(0, response, NETCHLEN-1);
		r = chalreply(&chal, response);
		if(r < 0){
			fprint(2, "%s: %r\n", argv0);
			exits("Sorry");
		}
	}
	if(!nflag)
		if(newns(argv[0], 0)){
			fprint(2, "%s (newns): %r\n", argv0);
			exits("Sorry");
		}
	if(cmd)
		execl("/bin/rc", "rc", "-c", cmd, 0);
	else
		execl("/bin/rc", "rc", "-i", 0);
	fprint(2, "%s: exec /bin/rc failed: %r\n", argv0);
	exits("exec");
}