OpenPAM

Check-in [846f86fdc2]
Login

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:- Set the sameuser flag when a non-root user manipulates their own key. - Rename the uri command to geturi (but retain backward compatibility). - Add a getkey command that prints the key in hexadecimal.
Timelines: family | ancestors | descendants | both | trunk | svn-rev-818
Files: files | file ages | folders
SHA1: 846f86fdc26bb0132cd67dace6d3ec5319841146
User & Date: des 2014-10-08 11:02:44
Context
2014-10-09
14:28
Refactor. The only major change is that CVE numbers now link to the corresponding NVD database entry. check-in: d1084bd842 user: des tags: trunk, svn-rev-819
2014-10-08
11:02
- Set the sameuser flag when a non-root user manipulates their own key. - Rename the uri command to geturi (but retain backward compatibility). - Add a getkey command that prints the key in hexadecimal. check-in: 846f86fdc2 user: des tags: trunk, svn-rev-818
10:58
Remove superfluous comments and blank lines. check-in: 1e0f39de5d user: des tags: trunk, svn-rev-817
Changes
Hide Diffs Unified Diffs Ignore Whitespace Patch

Changes to bin/oathkey/oathkey.1.

24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
..
67
68
69
70
71
72
73
74
75
76
77


78
79
80
81
82



83
84
85
86
87
88
89
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" $Id$
.\"
.Dd March 9, 2014
.Dt OATHKEY 1
.Os
.Sh NAME
.Nm oathkey
.Nd OATH key management tool
.Sh SYNOPSIS
.Nm
................................................................................
.Pp
The commands are:
.Bl -tag -width 6n
.It Cm genkey
Generate a new key.
If writeback mode is enabled, the user's key is set; otherwise, it is
printed to standard output.
.It Cm setkey Ar uri
Set the user's key to the given otpauth URI.
.It Cm uri
Print the user's key in otpauth URI form.


.It Cm verify Ar code
Verify that the given code is the correct current response for the
user's key.
If writeback mode is enabled and the response matched, the user's
keyfile is updated to prevent reuse.



.El
.Sh SEE ALSO
.Xr oath_hotp 3 ,
.Xr oath_key 3 ,
.Xr oath_totp 3 ,
.Xr pam_oath 8
.Sh AUTHORS







|







 







|
|
|

>
>





>
>
>







24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
..
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\"
.\" $Id$
.\"
.Dd October 8, 2014
.Dt OATHKEY 1
.Os
.Sh NAME
.Nm oathkey
.Nd OATH key management tool
.Sh SYNOPSIS
.Nm
................................................................................
.Pp
The commands are:
.Bl -tag -width 6n
.It Cm genkey
Generate a new key.
If writeback mode is enabled, the user's key is set; otherwise, it is
printed to standard output.
.It Cm getkey
Print the user's key.
.It Cm geturi
Print the user's key in otpauth URI form.
.It Cm setkey Ar uri
Set the user's key to the given otpauth URI.
.It Cm verify Ar code
Verify that the given code is the correct current response for the
user's key.
If writeback mode is enabled and the response matched, the user's
keyfile is updated to prevent reuse.
.It Cm uri
Deprecated synonym for
.Cm geturi .
.El
.Sh SEE ALSO
.Xr oath_hotp 3 ,
.Xr oath_key 3 ,
.Xr oath_totp 3 ,
.Xr pam_oath 8
.Sh AUTHORS

Changes to bin/oathkey/oathkey.c.

55
56
57
58
59
60
61














62
63
64
65
66
67
68
69
70
71
72
73
74
..
83
84
85
86
87
88
89


90
91
92
93
94
95
96
...
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
...
148
149
150
151
152
153
154























155
156
157
158
159
160
161
162
163
164
165
166
167
168
169


170
171
172
173
174
175
176
177
178
179
...
183
184
185
186
187
188
189


190
191
192
193
194
195
196
...
220
221
222
223
224
225
226


227
228
229
230
231
232
233
234
235
...
289
290
291
292
293
294
295

296
297
298
299
300
301
302
...
307
308
309
310
311
312
313
314
315


316
317
318
319
320
321
322
323
324
static char *user;
static char *keyfile;
static int verbose;
static int writeback;

static int isroot;		/* running as root */
static int issameuser;		/* real user same as target user */















/*
 * Print key in otpauth URI form
 */
static int
oathkey_print(struct oath_key *key)
{
	char *keyuri;

	if ((keyuri = oath_key_to_uri(key)) == NULL) {
		warnx("failed to convert key to otpauth URI");
		return (RET_ERROR);
	}
................................................................................
 */
static int
oathkey_save(struct oath_key *key)
{
	char *keyuri;
	int fd, len, ret;



	keyuri = NULL;
	len = 0;
	fd = ret = -1;
	if ((keyuri = oath_key_to_uri(key)) == NULL) {
		warnx("failed to convert key to otpauth URI");
		goto done;
	}
................................................................................
	if (argc != 0)
		return (RET_USAGE);
	(void)argv;
	if (!isroot && !issameuser)
		return (RET_UNAUTH);
	if ((key = oath_key_create(user, om_totp, oh_undef, NULL, 0)) == NULL)
		return (RET_ERROR);
	ret = writeback ? oathkey_save(key) : oathkey_print(key);
	oath_key_free(key);
	return (ret);
}

/*
 * Set a user's key
 */
................................................................................
		return (RET_UNAUTH);
	if ((key = oath_key_from_uri(argv[0])) == NULL)
		return (RET_ERROR);
	ret = oathkey_save(key);
	oath_key_free(key);
	return (ret);
}
























/*
 * Print the otpauth URI for a key
 */
static int
oathkey_uri(int argc, char *argv[])
{
	struct oath_key *key;
	int ret;

	if (argc != 0)
		return (RET_USAGE);
	(void)argv;
	if (!isroot && !issameuser)
		return (RET_UNAUTH);


	if ((key = oath_key_from_file(keyfile)) == NULL)
		return (RET_ERROR);
	ret = oathkey_print(key);
	oath_key_free(key);
	return (ret);
}

/*
 * Check whether a given response is correct for the given keyfile.
 */
................................................................................
	struct oath_key *key;
	unsigned long response;
	char *end;
	int match, ret;

	if (argc < 1)
		return (RET_USAGE);


	if ((key = oath_key_from_file(keyfile)) == NULL)
		return (RET_ERROR);
	response = strtoul(*argv, &end, 10);
	if (end == *argv || *end != '\0')
		response = ULONG_MAX; /* never valid */
	if (key->mode == om_totp)
		match = oath_totp_match(key, response, 3 /* XXX window */);
................................................................................
usage(void)
{
	fprintf(stderr,
	    "usage: oathkey [-hvw] [-u user] [-k keyfile] <command>\n"
	    "\n"
	    "Commands:\n"
	    "    genkey      Generate a new key\n"


	    "    setkey      Generate a new key\n"
	    "    uri         Print the key in otpauth URI form\n"
	    "    verify <response>\n"
	    "                Verify a response\n");
	exit(1);
}

int
main(int argc, char *argv[])
................................................................................
	 * that corresponds to our real UID.
	 */
	if (user == NULL) {
		if ((pw = getpwuid(getuid())) == NULL)
			errx(1, "who are you?");
		if (asprintf(&user, "%s", pw->pw_name) < 0)
			err(1, "asprintf()");

	}

	/*
	 * If no keyfile was specified on the command line, derive it from
	 * the user name.
	 */
	if (keyfile == NULL)
................................................................................
	/*
	 * Execute the requested command
	 */
	if (strcmp(cmd, "help") == 0)
		ret = RET_USAGE;
	else if (strcmp(cmd, "genkey") == 0)
		ret = oathkey_genkey(argc, argv);
	else if (strcmp(cmd, "setkey") == 0)
		ret = oathkey_setkey(argc, argv);


	else if (strcmp(cmd, "uri") == 0)
		ret = oathkey_uri(argc, argv);
	else if (strcmp(cmd, "verify") == 0)
		ret = oathkey_verify(argc, argv);
	else
		ret = RET_USAGE;

	/*
	 * Check result and act accordingly







>
>
>
>
>
>
>
>
>
>
>
>
>
>





|







 







>
>







 







|







 







>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>





|









>
>


|







 







>
>







 







>
>

<







 







>







 







|
|
>
>
|
|







55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
..
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
...
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
...
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
...
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
...
263
264
265
266
267
268
269
270
271
272

273
274
275
276
277
278
279
...
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
...
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
static char *user;
static char *keyfile;
static int verbose;
static int writeback;

static int isroot;		/* running as root */
static int issameuser;		/* real user same as target user */

/*
 * Print key in hexadecimal form
 */
static int
oathkey_print_hex(struct oath_key *key)
{
	unsigned int i;

	for (i = 0; i < key->keylen; ++i)
		printf("%02x", key->key[i]);
	printf("\n");
	return (RET_SUCCESS);
}

/*
 * Print key in otpauth URI form
 */
static int
oathkey_print_uri(struct oath_key *key)
{
	char *keyuri;

	if ((keyuri = oath_key_to_uri(key)) == NULL) {
		warnx("failed to convert key to otpauth URI");
		return (RET_ERROR);
	}
................................................................................
 */
static int
oathkey_save(struct oath_key *key)
{
	char *keyuri;
	int fd, len, ret;

	if (verbose)
		warnx("saving key to %s", keyfile);
	keyuri = NULL;
	len = 0;
	fd = ret = -1;
	if ((keyuri = oath_key_to_uri(key)) == NULL) {
		warnx("failed to convert key to otpauth URI");
		goto done;
	}
................................................................................
	if (argc != 0)
		return (RET_USAGE);
	(void)argv;
	if (!isroot && !issameuser)
		return (RET_UNAUTH);
	if ((key = oath_key_create(user, om_totp, oh_undef, NULL, 0)) == NULL)
		return (RET_ERROR);
	ret = writeback ? oathkey_save(key) : oathkey_print_uri(key);
	oath_key_free(key);
	return (ret);
}

/*
 * Set a user's key
 */
................................................................................
		return (RET_UNAUTH);
	if ((key = oath_key_from_uri(argv[0])) == NULL)
		return (RET_ERROR);
	ret = oathkey_save(key);
	oath_key_free(key);
	return (ret);
}

/*
 * Print raw key in hexadecimal
 */
static int
oathkey_getkey(int argc, char *argv[])
{
	struct oath_key *key;
	int ret;

	if (argc != 0)
		return (RET_USAGE);
	(void)argv;
	if (!isroot && !issameuser)
		return (RET_UNAUTH);
	if (verbose)
		warnx("loading key from %s", keyfile);
	if ((key = oath_key_from_file(keyfile)) == NULL)
		return (RET_ERROR);
	ret = oathkey_print_hex(key);
	oath_key_free(key);
	return (ret);
}

/*
 * Print the otpauth URI for a key
 */
static int
oathkey_geturi(int argc, char *argv[])
{
	struct oath_key *key;
	int ret;

	if (argc != 0)
		return (RET_USAGE);
	(void)argv;
	if (!isroot && !issameuser)
		return (RET_UNAUTH);
	if (verbose)
		warnx("loading key from %s", keyfile);
	if ((key = oath_key_from_file(keyfile)) == NULL)
		return (RET_ERROR);
	ret = oathkey_print_uri(key);
	oath_key_free(key);
	return (ret);
}

/*
 * Check whether a given response is correct for the given keyfile.
 */
................................................................................
	struct oath_key *key;
	unsigned long response;
	char *end;
	int match, ret;

	if (argc < 1)
		return (RET_USAGE);
	if (verbose)
		warnx("loading key from %s", keyfile);
	if ((key = oath_key_from_file(keyfile)) == NULL)
		return (RET_ERROR);
	response = strtoul(*argv, &end, 10);
	if (end == *argv || *end != '\0')
		response = ULONG_MAX; /* never valid */
	if (key->mode == om_totp)
		match = oath_totp_match(key, response, 3 /* XXX window */);
................................................................................
usage(void)
{
	fprintf(stderr,
	    "usage: oathkey [-hvw] [-u user] [-k keyfile] <command>\n"
	    "\n"
	    "Commands:\n"
	    "    genkey      Generate a new key\n"
	    "    getkey      Print the key in hexadecimal form\n"
	    "    geturi      Print the key in otpauth URI form\n"
	    "    setkey      Generate a new key\n"

	    "    verify <response>\n"
	    "                Verify a response\n");
	exit(1);
}

int
main(int argc, char *argv[])
................................................................................
	 * that corresponds to our real UID.
	 */
	if (user == NULL) {
		if ((pw = getpwuid(getuid())) == NULL)
			errx(1, "who are you?");
		if (asprintf(&user, "%s", pw->pw_name) < 0)
			err(1, "asprintf()");
		issameuser = 1;
	}

	/*
	 * If no keyfile was specified on the command line, derive it from
	 * the user name.
	 */
	if (keyfile == NULL)
................................................................................
	/*
	 * Execute the requested command
	 */
	if (strcmp(cmd, "help") == 0)
		ret = RET_USAGE;
	else if (strcmp(cmd, "genkey") == 0)
		ret = oathkey_genkey(argc, argv);
	else if (strcmp(cmd, "getkey") == 0)
		ret = oathkey_getkey(argc, argv);	
	else if (strcmp(cmd, "geturi") == 0 || strcmp(cmd, "uri") == 0)
		ret = oathkey_geturi(argc, argv);
	else if (strcmp(cmd, "setkey") == 0)
		ret = oathkey_setkey(argc, argv);
	else if (strcmp(cmd, "verify") == 0)
		ret = oathkey_verify(argc, argv);
	else
		ret = RET_USAGE;

	/*
	 * Check result and act accordingly