shithub: riscv

Download patch

ref: 8c9cbbb142cfbe595ead3d0003638e079053e683
parent: 081f98de6c71865a1a5e07a3cdf09d7d23848c2e
author: Ori Bernstein <ori@eigenstate.org>
date: Sun Jan 17 13:01:53 EST 2021

passwd: make legacy mode explicit

Passwd used to produce a very confusing error
about DES not being enabled whenever the password
was mistyped. This happened because we attempted
to guess what authentication method to use, and
preseneted the error from the wrong one on failure.

This puts the legacy mode behind a flag, so that
we don't even try the old method unless it's
explicitly requested.

--- a/sys/man/1/passwd
+++ b/sys/man/1/passwd
@@ -4,6 +4,9 @@
 .SH SYNOPSIS
 .B passwd
 [
+.IR -1
+]
+[
 .IR username [@ domain ]
 ]
 .PP
@@ -27,6 +30,16 @@
 New passwords and secrets must be typed twice, to forestall mistakes.
 New passwords must be sufficiently hard to guess.
 They may be of any length greater than seven characters.
+.PP
+By default, passwd requires the auth server to support
+.IR dp9ik (6).
+The
+.I -1
+flag forces
+.B passwd
+to authenticate using
+.IR p9sk1 (6).
+
 .PP
 .I Netkey
 prompts for a password to encrypt network challenges.
--- a/sys/src/cmd/auth/passwd.c
+++ b/sys/src/cmd/auth/passwd.c
@@ -7,7 +7,7 @@
 void
 main(int argc, char **argv)
 {
-	int fd, n, try;
+	int fd, n, dp9ik;
 	Ticketreq tr;
 	Ticket t;
 	Passwordreq pr;
@@ -15,7 +15,14 @@
 	char buf[512];
 	char *s, *user;
 
+	dp9ik = 1;
 	ARGBEGIN{
+	case '1':
+		dp9ik = 0;
+		break;
+	default:
+		fprint(2, "%s [-1]\n", argv0);
+		exits("usage");
 	}ARGEND
 
 	argv0 = "passwd";
@@ -48,31 +55,17 @@
 	memset(&pr, 0, sizeof(pr));
 	getpass(&key, pr.old, 0, 0);
 
-	/*
-	 *  negotiate PAK key. we need to retry in case the AS does
-	 *  not support the AuthPAK request or when the user has
-	 *  not yet setup a new key and the AS made one up.
-	 */
-	try = 0;
-	authpak_hash(&key, tr.uid);
-	if(_asgetpakkey(fd, &tr, &key) < 0){
-Retry:
-		try++;
-		close(fd);
-		fd = authdial(nil, s);
-		if(fd < 0)
-			error("authdial: %r");
+	if(dp9ik){
+		authpak_hash(&key, tr.uid);
+		if(_asgetpakkey(fd, &tr, &key) < 0)
+			error("%r");
 	}
-	/* send ticket request to AS */
 	if(_asrequest(fd, &tr) < 0)
 		error("%r");
 	if(_asgetresp(fd, &t, nil, &key) < 0)
 		error("%r");
-	if(t.num != AuthTp || strcmp(t.cuid, tr.uid) != 0){
-		if(try == 0)
-			goto Retry;
+	if(t.num != AuthTp || strcmp(t.cuid, tr.uid) != 0)
 		error("bad password");
-	}
 
 	/* loop trying new passwords */
 	for(;;){