diff --git a/pam_yubico.8.txt b/pam_yubico.8.txt index 724d701..5f36c81 100644 --- a/pam_yubico.8.txt +++ b/pam_yubico.8.txt @@ -96,7 +96,7 @@ An ldap filter to use for attempting to find the correct object in LDAP. In this Ca certfile for the LDAP connection. *chalresp_path*=_path_:: -Path of a system wide directory where challenge response files can be found for users. Default location is $HOME/.yubico/ +Path of a system wide directory where challenge-response files can be found for users. Default location is $HOME/.yubico/ == EXAMPLES diff --git a/pam_yubico.c b/pam_yubico.c index 85279ff..d157b35 100644 --- a/pam_yubico.c +++ b/pam_yubico.c @@ -181,7 +181,7 @@ authorize_user_token (struct cfg *cfg, ..... i.e. ~/.yubico/authorized_yubikeys */ if (! get_user_cfgfile_path (NULL, "authorized_yubikeys", p, &userfile)) { - DBG ("Failed figuring out per-user cfgfile"); + DBG ("Failed to figure out per-user cfgfile"); return AUTH_ERROR; } @@ -292,7 +292,7 @@ authorize_user_token_ldap (struct cfg *cfg, DBG ("try bind with: %s:[%s]", cfg->ldap_bind_user, cfg->ldap_bind_password); rc = ldap_simple_bind_s (ld, cfg->ldap_bind_user, cfg->ldap_bind_password); } else { - DBG ("try bind anonymous"); + DBG ("try anonymous bind"); rc = ldap_simple_bind_s (ld, NULL, NULL); } if (rc != LDAP_SUCCESS) @@ -378,7 +378,7 @@ authorize_user_token_ldap (struct cfg *cfg, } if(token_id && !strncmp (token_id, vals[i]->bv_val + yubi_attr_prefix_len, strlen (vals[i]->bv_val + yubi_attr_prefix_len))) { - DBG ("Token Found :: %s", vals[i]->bv_val); + DBG ("Token found :: %s", vals[i]->bv_val); retval = AUTH_FOUND; } } @@ -512,7 +512,7 @@ do_challenge_response(pam_handle_t *pamh, struct cfg *cfg, const char *username) } if (! init_yubikey(&yk)) { - DBG("Failed initializing YubiKey"); + DBG("Failed to initialize YubiKey"); goto out; } @@ -522,7 +522,7 @@ do_challenge_response(pam_handle_t *pamh, struct cfg *cfg, const char *username) } if (! get_user_challenge_file (yk, cfg->chalresp_path, p, &userfile, cfg->debug_file)) { - DBG("Failed getting user challenge file for user %s", username); + DBG("Failed to get user challenge file for user %s", username); goto out; } @@ -531,7 +531,7 @@ do_challenge_response(pam_handle_t *pamh, struct cfg *cfg, const char *username) /* Drop privileges before opening user file (if we're not using system-wide dir). */ if (!cfg->chalresp_path) { if (pam_modutil_drop_priv(pamh, &privs, p)) { - DBG ("could not drop privileges"); + DBG ("Could not drop privileges"); goto out; } } @@ -572,7 +572,7 @@ do_challenge_response(pam_handle_t *pamh, struct cfg *cfg, const char *username) if (!cfg->chalresp_path) { if (pam_modutil_regain_priv(pamh, &privs)) { - DBG ("could not restore privileges"); + DBG ("Could not restore privileges"); goto out; } } @@ -580,7 +580,7 @@ do_challenge_response(pam_handle_t *pamh, struct cfg *cfg, const char *username) if (! challenge_response(yk, state.slot, state.challenge, state.challenge_len, true, true, false, buf, sizeof(buf), &response_len)) { - DBG("Challenge-response FAILED"); + DBG("Challenge-response failed"); goto out; } @@ -598,7 +598,7 @@ do_challenge_response(pam_handle_t *pamh, struct cfg *cfg, const char *username) if (memcmp(buf, state.response, state.response_len) == 0) { ret = PAM_SUCCESS; } else { - DBG("Unexpected C/R response : %s", response_hex); + DBG("Unexpected response: %s", response_hex); goto out; } @@ -606,7 +606,7 @@ do_challenge_response(pam_handle_t *pamh, struct cfg *cfg, const char *username) errstr = "Error generating new challenge, please check syslog or contact your system administrator"; if (generate_random(state.challenge, sizeof(state.challenge))) { - DBG("Failed generating new challenge!"); + DBG("Failed to generate new challenge!"); goto out; } @@ -614,7 +614,7 @@ do_challenge_response(pam_handle_t *pamh, struct cfg *cfg, const char *username) if (! challenge_response(yk, state.slot, state.challenge, CR_CHALLENGE_SIZE, true, true, false, buf, sizeof(buf), &response_len)) { - DBG("Second challenge-response FAILED"); + DBG("Second challenge-response failed"); goto out; } @@ -643,7 +643,7 @@ do_challenge_response(pam_handle_t *pamh, struct cfg *cfg, const char *username) /* Drop privileges before creating new challenge file. */ if (!cfg->chalresp_path) { if (pam_modutil_drop_priv(pamh, &privs, p)) { - DBG ("could not drop privileges"); + DBG ("Could not drop privileges"); goto out; } } @@ -662,11 +662,11 @@ do_challenge_response(pam_handle_t *pamh, struct cfg *cfg, const char *username) } if (fchmod (fd, st.st_mode) != 0) { - DBG ("could not set correct file permissions"); + DBG ("Could not set correct file permissions"); goto restpriv_out; } if (fchown (fd, st.st_uid, st.st_gid) != 0) { - DBG ("could not set correct file ownership"); + DBG ("Could not set correct file ownership"); goto restpriv_out; } @@ -696,7 +696,7 @@ do_challenge_response(pam_handle_t *pamh, struct cfg *cfg, const char *username) restpriv_out: if (!cfg->chalresp_path) { if (pam_modutil_regain_priv(pamh, &privs)) { - DBG (("could not restore privileges")); + DBG (("Could not restore privileges")); } } @@ -715,8 +715,8 @@ restpriv_out: display_error(pamh, errstr, cfg); if (errno) { - syslog(LOG_ERR, "Challenge response failed: %s", strerror(errno)); - DBG("Challenge response failed: %s", strerror(errno)); + syslog(LOG_ERR, "Challenge-response failed: %s", strerror(errno)); + DBG("Challenge-response failed: %s", strerror(errno)); } if (yk) @@ -901,7 +901,7 @@ pam_sm_authenticate (pam_handle_t * pamh, if (cfg->token_id_length > MAX_TOKEN_ID_LEN) { - DBG ("configuration error: token_id_length too long. Maximum acceptable value : %u", MAX_TOKEN_ID_LEN); + DBG ("Configuration error: token_id_length too long. Maximum acceptable value : %u", MAX_TOKEN_ID_LEN); retval = PAM_AUTHINFO_UNAVAIL; goto done; } @@ -919,7 +919,7 @@ pam_sm_authenticate (pam_handle_t * pamh, DBG ("libykpers version: %s", ykpers_check_version(NULL)); retval = do_challenge_response(pamh, cfg, user); #else - DBG ("no support for challenge/response"); + DBG ("no support for challenge-response"); retval = PAM_AUTH_ERR; #endif goto done; @@ -946,7 +946,7 @@ pam_sm_authenticate (pam_handle_t * pamh, if(ykclient_global_init() != YKCLIENT_OK) { - DBG ("Failed initializing ykclient library"); + DBG ("Failed to initlaize ykclient library"); retval = PAM_AUTHINFO_UNAVAIL; goto done; } @@ -1156,7 +1156,7 @@ pam_sm_authenticate (pam_handle_t * pamh, DBG ("Token is associated to the user. Validating the OTP..."); rc = ykclient_request (ykc, otp); DBG ("ykclient return value (%d): %s", rc, ykclient_strerror (rc)); - DBG ("ykclient url used: %s", ykclient_get_last_url(ykc)); + DBG ("ykclient URL used: %s", ykclient_get_last_url(ykc)); switch (rc) { diff --git a/ykpamcfg.1.txt b/ykpamcfg.1.txt index 6316d4c..2557278 100644 --- a/ykpamcfg.1.txt +++ b/ykpamcfg.1.txt @@ -47,7 +47,7 @@ To use the system-wide mode, you currently have to move the generated state file == EXAMPLES -First, program a YubiKey for challenge response on Slot 2 : +First, program a YubiKey for challenge-response on Slot 2: $ ykpersonalize -2 -ochal-resp -ochal-hmac -ohmac-lt64 -oserial-api-visible ... diff --git a/ykpamcfg.c b/ykpamcfg.c index 5098027..7f84a32 100644 --- a/ykpamcfg.c +++ b/ykpamcfg.c @@ -56,7 +56,7 @@ const char *usage = "\t-2 Send challenge to slot 2.\n" "\t-A action What to do.\n" "\t-p path Specify an output path for the challenge file.\n" - "\t-i iters Number of iterations to use for pbkdf2 (defaults to 10000)\n" + "\t-i iters Number of iterations to use for PBKDF2 (defaults to 10000)\n" "\n" "\t-v Increase verbosity\n" "\t-V Show version and exit\n" @@ -170,7 +170,7 @@ do_add_hmac_chalresp(YK_KEY *yk, uint8_t slot, bool verbose, char *output_dir, u //check if directory exists if (stat(fullpath,&st)!=0 ){ if(mkdir(fullpath, S_IRWXU)==-1){ - fprintf(stderr, "Failed creating directory '%s' :%s\n", + fprintf(stderr, "Failed to create directory '%s': %s\n", fullpath, strerror(errno)); } if(verbose){ @@ -179,7 +179,7 @@ do_add_hmac_chalresp(YK_KEY *yk, uint8_t slot, bool verbose, char *output_dir, u } else{ if(!S_ISDIR(st.st_mode)){ - fprintf(stderr, "Destination %s already exist and is not a directory.\n", + fprintf(stderr, "Destination %s already exists and is not a directory.\n", fullpath); goto out; } @@ -187,7 +187,7 @@ do_add_hmac_chalresp(YK_KEY *yk, uint8_t slot, bool verbose, char *output_dir, u } if (! get_user_challenge_file(yk, output_dir, p, &fn, stdout)) { - fprintf (stderr, "Failed getting chalresp state filename\n"); + fprintf (stderr, "Failed to get chalresp state filename\n"); goto out; } @@ -197,7 +197,7 @@ do_add_hmac_chalresp(YK_KEY *yk, uint8_t slot, bool verbose, char *output_dir, u } if (generate_random(state.challenge, CR_CHALLENGE_SIZE)) { - fprintf (stderr, "FAILED getting %i bytes of random data\n", CR_CHALLENGE_SIZE); + fprintf (stderr, "Failed to get %i bytes of random data\n", CR_CHALLENGE_SIZE); goto out; } state.challenge_len = CR_CHALLENGE_SIZE; @@ -215,7 +215,7 @@ do_add_hmac_chalresp(YK_KEY *yk, uint8_t slot, bool verbose, char *output_dir, u char challenge[CR_CHALLENGE_SIZE]; if (generate_random(challenge, CR_CHALLENGE_SIZE)) { - fprintf (stderr, "FAILED getting %i bytes of random data\n", CR_CHALLENGE_SIZE); + fprintf (stderr, "Failed to get %i bytes of random data\n", CR_CHALLENGE_SIZE); goto out; } if (! challenge_response(yk, state.slot, challenge, CR_CHALLENGE_SIZE, @@ -224,7 +224,7 @@ do_add_hmac_chalresp(YK_KEY *yk, uint8_t slot, bool verbose, char *output_dir, u goto out; if (memcmp(buf, buf2, response_len) == 0) { - fprintf (stderr, "FAILED YubiKey is outputting the same response for different challenges." + fprintf (stderr, "Failed: YubiKey is outputting the same response for different challenges." "Make sure you configure the key with the option HMAC_LT64.\n"); goto out; } @@ -241,7 +241,7 @@ do_add_hmac_chalresp(YK_KEY *yk, uint8_t slot, bool verbose, char *output_dir, u fd = open (fn, O_WRONLY | O_CREAT | O_TRUNC | O_CLOEXEC, S_IRUSR | S_IWUSR); if (fd < 0) { - fprintf (stderr, "Failed opening '%s' for writing : %s\n", fn, strerror (errno)); + fprintf (stderr, "Failed to open '%s' for writing: %s\n", fn, strerror (errno)); goto out; } f = fdopen (fd, "w");