Increase the default synchronization window, and provide options to
control it. git-svn-id: svn+ssh://svn.openpam.org/svn/openpam/trunk@707 185d5e19-27fe-0310-9dcf-9bff6b9f3609
This commit is contained in:
parent
b9ec47c689
commit
a03bbedb50
|
@ -50,6 +50,8 @@
|
||||||
#include <security/oath.h>
|
#include <security/oath.h>
|
||||||
|
|
||||||
#define PAM_OATH_PROMPT "Verification code: "
|
#define PAM_OATH_PROMPT "Verification code: "
|
||||||
|
#define PAM_OATH_HOTP_WINDOW 3
|
||||||
|
#define PAM_OATH_TOTP_WINDOW 3
|
||||||
|
|
||||||
enum pam_oath_nokey { nokey_error = -1, nokey_fail, nokey_fake, nokey_ignore };
|
enum pam_oath_nokey { nokey_error = -1, nokey_fail, nokey_fake, nokey_ignore };
|
||||||
|
|
||||||
|
@ -77,6 +79,28 @@ pam_oath_nokey_option(pam_handle_t *pamh, const char *option)
|
||||||
return (nokey_error);
|
return (nokey_error);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Parse a numeric option. Returns -1 if the option is not set or its
|
||||||
|
* value is not an integer in the range [0, INT_MAX].
|
||||||
|
*/
|
||||||
|
static int
|
||||||
|
pam_oath_int_option(pam_handle_t *pamh, const char *option)
|
||||||
|
{
|
||||||
|
const char *value;
|
||||||
|
char *end;
|
||||||
|
long num;
|
||||||
|
|
||||||
|
if ((value = openpam_get_option(pamh, option)) == NULL)
|
||||||
|
return (-1);
|
||||||
|
num = strtol(value, &end, 10);
|
||||||
|
if (*value == '\0' || *end != '\0' || num < 0 || num > INT_MAX) {
|
||||||
|
openpam_log(PAM_LOG_ERROR, "the value of the %s option "
|
||||||
|
"is invalid.", option);
|
||||||
|
return (-1);
|
||||||
|
}
|
||||||
|
return (num);
|
||||||
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Determine the location of the user's keyfile.
|
* Determine the location of the user's keyfile.
|
||||||
*/
|
*/
|
||||||
|
@ -155,7 +179,7 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags,
|
||||||
struct oath_key *key;
|
struct oath_key *key;
|
||||||
unsigned long response;
|
unsigned long response;
|
||||||
char *password, *end;
|
char *password, *end;
|
||||||
int pam_err, ret;
|
int pam_err, ret, window;
|
||||||
|
|
||||||
/* unused */
|
/* unused */
|
||||||
(void)flags;
|
(void)flags;
|
||||||
|
@ -234,10 +258,17 @@ pam_sm_authenticate(pam_handle_t *pamh, int flags,
|
||||||
response = ULONG_MAX;
|
response = ULONG_MAX;
|
||||||
|
|
||||||
/* verify response */
|
/* verify response */
|
||||||
if (key->mode == om_hotp)
|
if (key->mode == om_hotp) {
|
||||||
ret = oath_hotp_match(key, response, 1);
|
if ((window = pam_oath_int_option(pamh, "hotp_window")) < 0 &&
|
||||||
else
|
(window = pam_oath_int_option(pamh, "window")) < 0)
|
||||||
ret = oath_totp_match(key, response, 1);
|
window = PAM_OATH_HOTP_WINDOW;
|
||||||
|
ret = oath_hotp_match(key, response, window);
|
||||||
|
} else {
|
||||||
|
if ((window = pam_oath_int_option(pamh, "totp_window")) < 0 &&
|
||||||
|
(window = pam_oath_int_option(pamh, "window")) < 0)
|
||||||
|
window = PAM_OATH_TOTP_WINDOW;
|
||||||
|
ret = oath_totp_match(key, response, window);
|
||||||
|
}
|
||||||
openpam_log(PAM_LOG_VERBOSE, "verification code %s",
|
openpam_log(PAM_LOG_VERBOSE, "verification code %s",
|
||||||
ret ? "matched" : "did not match");
|
ret ? "matched" : "did not match");
|
||||||
if (ret == 0) {
|
if (ret == 0) {
|
||||||
|
|
Loading…
Reference in New Issue