From mboxrd@z Thu Jan 1 00:00:00 1970 Date: Thu, 27 Aug 1998 10:08:26 -0400 From: Russ Cox rsc@plan9.bell-labs.com Subject: No subject Topicbox-Message-UUID: 7dc68bdc-eac8-11e9-9e20-41e7f4b1d025 Message-ID: <19980827140826.sBm1w3d6rX0dENBppMyNDCwHMiKyxHWiEUL7pPdFCP8@z> a slightly more elegant way is to just always do challenge response, and fire up netkey when you want to use a password. having su accept a password encourages people to type their passwords over the network. if netkey is the only thing that accepts passwords (aside from the boot process), then you only have to worry about training users not to run netkey remotely. i've been using the following for quite a while. i think it's a cross between something i wrote and something tom killian wrote. it accepts a -n option to say don't reinitialize the namespace, and a -c option to specify a command to run instead of a shell. #include #include #include int debug; Chalstate chal; char response[NETCHLEN]; int nflag; void main(int argc, char **argv) { int fd, r; char *cmd = nil; ARGBEGIN{ case 'n': ++nflag; break; case 'c': cmd = ARGF(); break; case 'D': ++debug; break; }ARGEND if(argc != 1){ fprint(2, "usage: %s [-n] [-c cmd] user\n", argv0); exits("usage"); } if(strcmp(argv[0], "none") == 0){ fd = open("/dev/user", ORDWR); if(fd < 0){ fprint(2, "%s: can't open /dev/user: %r\n", argv0); exits("Sorry"); } r = write(fd, "none", 4); close(fd); if(r < 0){ fprint(2, "%s: can't write /dev/user: %r\n", argv0); exits("Sorry"); } }else{ r = getchal(&chal, argv[0]); if(r < 0){ fprint(2, "%s: %r\n", argv0); exits("Sorry"); } print("challenge: %s\nresponse: ", chal.chal); read(0, response, NETCHLEN-1); r = chalreply(&chal, response); if(r < 0){ fprint(2, "%s: %r\n", argv0); exits("Sorry"); } } if(!nflag) if(newns(argv[0], 0)){ fprint(2, "%s (newns): %r\n", argv0); exits("Sorry"); } if(cmd) execl("/bin/rc", "rc", "-c", cmd, 0); else execl("/bin/rc", "rc", "-i", 0); fprint(2, "%s: exec /bin/rc failed: %r\n", argv0); exits("exec"); }