From: jcs <jcs@openbsd.org>
Date: Tue, 7 Sep 2021 13:46:07 +0000 (+0000)
Subject: Retry up to 3 times on password authentication failure
X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=960755fcf8c0e1f11073bbb512ed2a7172b3db21;p=openbsd

Retry up to 3 times on password authentication failure

ok martijn
support from various
---

diff --git a/usr.bin/doas/doas.c b/usr.bin/doas/doas.c
index 5fccac85724..5d440311ffe 100644
--- a/usr.bin/doas/doas.c
+++ b/usr.bin/doas/doas.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: doas.c,v 1.90 2021/07/12 15:09:19 beck Exp $ */
+/* $OpenBSD: doas.c,v 1.91 2021/09/07 13:46:07 jcs Exp $ */
 /*
  * Copyright (c) 2015 Ted Unangst <tedu@openbsd.org>
  *
@@ -199,7 +199,7 @@ checkconfig(const char *confpath, int argc, char **argv,
 	}
 }
 
-static void
+static int
 authuser(char *myname, char *login_style, int persist)
 {
 	char *challenge = NULL, *response, rbuf[1024], cbuf[128];
@@ -214,8 +214,10 @@ authuser(char *myname, char *login_style, int persist)
 	}
 
 	if (!(as = auth_userchallenge(myname, login_style, "auth-doas",
-	    &challenge)))
-		errx(1, "Authentication failed");
+	    &challenge))) {
+		warnx("Authentication failed");
+		return AUTH_FAILED;
+	}
 	if (!challenge) {
 		char host[HOST_NAME_MAX + 1];
 		if (gethostname(host, sizeof(host)))
@@ -235,7 +237,8 @@ authuser(char *myname, char *login_style, int persist)
 		explicit_bzero(rbuf, sizeof(rbuf));
 		syslog(LOG_AUTHPRIV | LOG_NOTICE,
 		    "failed auth for %s", myname);
-		errx(1, "Authentication failed");
+		warnx("Authentication failed");
+		return AUTH_FAILED;
 	}
 	explicit_bzero(rbuf, sizeof(rbuf));
 good:
@@ -244,6 +247,8 @@ good:
 		ioctl(fd, TIOCSETVERAUTH, &secs);
 		close(fd);
 	}
+
+	return AUTH_OK;
 }
 
 int
@@ -306,6 +311,7 @@ main(int argc, char **argv)
 	int i, ch, rv;
 	int sflag = 0;
 	int nflag = 0;
+	int authed = AUTH_FAILED;
 	char cwdpath[PATH_MAX];
 	const char *cwd;
 	char *login_style = NULL;
@@ -408,7 +414,15 @@ main(int argc, char **argv)
 		if (nflag)
 			errx(1, "Authentication required");
 
-		authuser(mypw->pw_name, login_style, rule->options & PERSIST);
+		for (i = 0; i < AUTH_RETRIES; i++) {
+			authed = authuser(mypw->pw_name, login_style,
+			    rule->options & PERSIST);
+			if (authed == AUTH_OK)
+				break;
+		}
+
+		if (authed != AUTH_OK)
+			exit(1);
 	}
 
 	if ((p = getenv("PATH")) != NULL)
diff --git a/usr.bin/doas/doas.h b/usr.bin/doas/doas.h
index 0b3585822eb..3a9bf4d4de2 100644
--- a/usr.bin/doas/doas.h
+++ b/usr.bin/doas/doas.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: doas.h,v 1.17 2021/01/27 17:02:50 millert Exp $ */
+/* $OpenBSD: doas.h,v 1.18 2021/09/07 13:46:07 jcs Exp $ */
 /*
  * Copyright (c) 2015 Ted Unangst <tedu@openbsd.org>
  *
@@ -43,3 +43,7 @@ char **prepenv(const struct rule *, const struct passwd *,
 #define KEEPENV		0x2
 #define PERSIST		0x4
 #define NOLOG		0x8
+
+#define AUTH_FAILED	-1
+#define AUTH_OK		0
+#define AUTH_RETRIES	3