passwd: make legacy mode explicit
Passwd used to produce a very confusing error about DES not being enabled whenever the password was mistyped. This happened because we attempted to guess what authentication method to use, and preseneted the error from the wrong one on failure. This puts the legacy mode behind a flag, so that we don't even try the old method unless it's explicitly requested.
This commit is contained in:
parent
081f98de6c
commit
8c9cbbb142
2 changed files with 26 additions and 20 deletions
|
@ -4,6 +4,9 @@ passwd, netkey \- change or verify user password
|
|||
.SH SYNOPSIS
|
||||
.B passwd
|
||||
[
|
||||
.IR -1
|
||||
]
|
||||
[
|
||||
.IR username [@ domain ]
|
||||
]
|
||||
.PP
|
||||
|
@ -27,6 +30,16 @@ secret.
|
|||
New passwords and secrets must be typed twice, to forestall mistakes.
|
||||
New passwords must be sufficiently hard to guess.
|
||||
They may be of any length greater than seven characters.
|
||||
.PP
|
||||
By default, passwd requires the auth server to support
|
||||
.IR dp9ik (6).
|
||||
The
|
||||
.I -1
|
||||
flag forces
|
||||
.B passwd
|
||||
to authenticate using
|
||||
.IR p9sk1 (6).
|
||||
|
||||
.PP
|
||||
.I Netkey
|
||||
prompts for a password to encrypt network challenges.
|
||||
|
|
|
@ -7,7 +7,7 @@
|
|||
void
|
||||
main(int argc, char **argv)
|
||||
{
|
||||
int fd, n, try;
|
||||
int fd, n, dp9ik;
|
||||
Ticketreq tr;
|
||||
Ticket t;
|
||||
Passwordreq pr;
|
||||
|
@ -15,7 +15,14 @@ main(int argc, char **argv)
|
|||
char buf[512];
|
||||
char *s, *user;
|
||||
|
||||
dp9ik = 1;
|
||||
ARGBEGIN{
|
||||
case '1':
|
||||
dp9ik = 0;
|
||||
break;
|
||||
default:
|
||||
fprint(2, "%s [-1]\n", argv0);
|
||||
exits("usage");
|
||||
}ARGEND
|
||||
|
||||
argv0 = "passwd";
|
||||
|
@ -48,31 +55,17 @@ main(int argc, char **argv)
|
|||
memset(&pr, 0, sizeof(pr));
|
||||
getpass(&key, pr.old, 0, 0);
|
||||
|
||||
/*
|
||||
* negotiate PAK key. we need to retry in case the AS does
|
||||
* not support the AuthPAK request or when the user has
|
||||
* not yet setup a new key and the AS made one up.
|
||||
*/
|
||||
try = 0;
|
||||
if(dp9ik){
|
||||
authpak_hash(&key, tr.uid);
|
||||
if(_asgetpakkey(fd, &tr, &key) < 0){
|
||||
Retry:
|
||||
try++;
|
||||
close(fd);
|
||||
fd = authdial(nil, s);
|
||||
if(fd < 0)
|
||||
error("authdial: %r");
|
||||
if(_asgetpakkey(fd, &tr, &key) < 0)
|
||||
error("%r");
|
||||
}
|
||||
/* send ticket request to AS */
|
||||
if(_asrequest(fd, &tr) < 0)
|
||||
error("%r");
|
||||
if(_asgetresp(fd, &t, nil, &key) < 0)
|
||||
error("%r");
|
||||
if(t.num != AuthTp || strcmp(t.cuid, tr.uid) != 0){
|
||||
if(try == 0)
|
||||
goto Retry;
|
||||
if(t.num != AuthTp || strcmp(t.cuid, tr.uid) != 0)
|
||||
error("bad password");
|
||||
}
|
||||
|
||||
/* loop trying new passwords */
|
||||
for(;;){
|
||||
|
|
Loading…
Reference in a new issue