-/** @file
- * Interface to the S/Ident requester library.
- *
- * This interface is heavily based on the libident interface, with some
- * additions for the Kerberos S/Ident functionality.
- *
- * @author libident written by Peter Eriksson <pen@lysator.liu.se> and Pdr
- * Emanuelsson <pell@lysator.liu.se>
- * @author S/Ident written by Booker Bense <bbense@stanford.edu>.
- */
+/* $Id$
+**
+** Interface to the S/Ident requester library.
+**
+** Written by Booker Bense <bbense@stanford.edu>
+** Based on libident by Peter Eriksson <pen@lysator.liu.se>
+** and Pdr Emanuelsson <pell@lysator.liu.se>
+**
+** This interface is heavily based on the libident interface, with some
+** additions for the Kerberos S/Ident functionality. It needs a great deal
+** of work in the area of avoiding hard-coded buffer limits and global
+** variables, so I expect that this interface will change in the future.
+** It also currently contains some definitions of internal structs, which
+** will eventually be removed.
+*/
#ifndef SIDENT_H
#define SIDENT_H 1
#include <sys/types.h>
#include <time.h>
-/* BEGIN_DECLS is used at the beginning of declarations so that C++
- compilers don't mangle their names. END_DECLS is used at the end. Use
- macros so that smart editors don't get confused by the block. */
+/* BEGIN_DECLS is used at the beginning of declarations so that C++ compilers
+ don't mangle their names. END_DECLS is used at the end. Use macros so
+ that smart editors don't get confused by the block. */
#undef BEGIN_DECLS
#undef END_DECLS
#ifdef __cplusplus
# define END_DECLS /* empty */
#endif
-/** The registered ident port. */
+/* The registered ident port. */
#ifndef IDPORT
# define IDPORT 113
#endif
-/** The service name for the S/Ident protocol. */
+/* The service name for the S/Ident protocol, used in Kerberos principals. */
#define IDENT_AUTH_KRB_SERVICE "ident"
-/** Default delay for network reads. */
+/* Default delay for network reads. This should be configurable. */
#define IDENT_READ_TIMEOUT 60
-/** Buffer size sufficient to hold a complete request or response. */
+/* Buffer size sufficient to hold a complete request or response. */
#define IDENT_BUFFER_SIZE 4096
-/** Maximum length of an authenticator. */
-#define MAX_AUTH_LEN 4096
-
-/** Minimum length of an authenticator. */
-#define MIN_AUTH_LEN 80
-
-/** Maximum length of an identifier. Should be the same as MAX_K_NAME_SZ in
- * krb.h, but we don't want to depend on krb.h. */
-#define MAX_AUTH_NAME 123
-
-/** The number of authentication flags supported by KERBEROS_V4. */
+/* The number of authentication flags supported by KERBEROS_V4. */
#define IDENT_MAX_KRB_AUTH_FLAG 1
-/** A 16-bit unsigned type. */
+/* A 16-bit unsigned type. */
#ifndef IDENT_INT16
# define IDENT_INT16 unsigned short
#endif
-/** Bit to determine if mutual authentication is needed. */
-#define MUTUAL_AUTH_BIT 0x01
-
BEGIN_DECLS
/* VARIABLES AND STRUCTURES */
-/** Version of the S/Ident library being used. */
+/* Version of the S/Ident library being used. */
extern char id_version[];
-/** Return codes used by library functions. */
+/* Return codes used by library functions. */
enum id_codes {
- IDENT_AUTH_OKAY = 0, /**< No error. */
+ IDENT_AUTH_OKAY = 0, /* No error. */
+ IDENT_AUTH_FAIL, /* An unidentified operation failed. */
- /** An authentication verification operation failed. */
- IDENT_AUTH_FAIL,
-
- /** Authentication mechanism not supported.
- *
- * None of the authentication mechanisms offered by the requester are
- * supported for authentication of the owner of the indicated
- * connection.
- */
+ /* None of the authentication mechanisms offered by the requester are
+ supported for authentication of the owner of the indicated
+ connection. */
IDENT_AUTH_NOT_SUPPORTED,
- /** No authentication information available.
- *
- * Indicates that the authentication mechanism is supported for the owner
- * of the connection, but that no authentication information is available
- * for that user.
- */
+ /* The authentication mechanism is supported for the owner of the
+ connection, but no authentication information is available for that
+ user. */
IDENT_USER_CANT_AUTH,
- /** One or more values in auth-resp-info are syntactically invalid. */
+ /* One or more values in auth-resp-info are syntactically invalid. */
IDENT_INVALID_RESP_INFO,
- /** One or more values in auth-req-info are syntactically invalid. */
+ /* One or more values in auth-req-info are syntactically invalid. */
IDENT_INVALID_REQ_INFO,
- /** Connection not found.
- *
- * The connection specified by the port pair is not currently in use or
- * currently not owned by an identifiable entity.
- */
+ /* The connection specified by the port pair is not currently in use or
+ currently not owned by an identifiable entity. */
IDENT_NO_USER,
- /** Cannot determine connection owner for an unknown reason.
- *
- * Any error not covered by other codes should return this error code
- * value. Optionally, this code MAY be returned in lieu of any other
- * specific error code if, for example, the server desires to hide
- * information implied by the return of that error code, or for any other
- * reason. If a server implements such a feature, it MUST be configurable
- * and it MUST default to returning the proper error message.
- *
- * This error code is also used if the remote system closed the connection
- * without returning any response.
- */
+ /* Any error not covered by other codes should return this error code
+ value. Optionally, this code MAY be returned in lieu of any other
+ specific error code if, for example, the server desires to hide
+ information implied by the return of that error code, or for any other
+ reason. If a server implements such a feature, it MUST be configurable
+ and it MUST default to returning the proper error message.
+
+ This error code is also used if the remote system closed the connection
+ without returning any response. */
IDENT_UNKNOWN_ERROR,
- /** Port improperly specified.
- *
- * Either the local or foreign port was improperly specified. This should
- * be returned if either or both of the port ids were out of range (TCP
- * port numbers are from 1-65535), negative integers, reals or in any
- * fashion not recognized as a non-negative integer.
- */
+ /* Either the local or foreign port was improperly specified. This should
+ be returned if either or both of the port ids were out of range (TCP
+ port numbers are from 1-65535), negative integers, reals, or in any
+ fashion not recognized as a non-negative integer. */
IDENT_INVALID_PORT,
- /** User information intentionally hidden.
- *
- * The server was able to identify the user of this port, but the
- * information was not returned at the request of the user.
- */
+ /* The server was able to identify the user of this port, but the
+ information was not returned at the request of the user. */
IDENT_HIDDEN_USER,
- /** User refused to authenticate.
- *
- * Indicates that the authentication mechanism is supported for the owner
- * of the connection, but that no authentication information is available
- * for that user; this value is used if the responder has prompted the
- * user to authenticate.
- *
- * @deprecated Use #IDENT_CANT_AUTH instead.
- */
+ /* Indicates that the authentication mechanism is supported for the owner
+ of the connection, but that no authentication information is available
+ for that user; this value is used if the responder has prompted the
+ user to authenticate.
+
+ This error code is deprecated. IDENT_CANT_AUTH should be used
+ instead. */
IDENT_USER_WONT_AUTH,
- /* All error codes below are internal */
- IDENT_INTERNAL_ERR, /**< Internal library error. */
- IDENT_NO_MUTUAL_AUTH, /**< No mutual authentication given. */
- IDENT_MUTUAL_AUTH_FAIL, /**< Mutual authentication failed. */
- IDENT_SYSTEM_ERROR, /**< Some internal system error. */
- IDENT_FLAG_NOT_SUPPORTED, /**< Authentication flag not supported. */
- IDENT_INVALID_FLAG_VALUE, /**< Invalid authentication flag value. */
- IDENT_TIMEOUT, /**< Timeout in library functions. */
- IDENT_MAX_ERROR /**< Fencepost value. */
+ /* All error codes below are internal. */
+ IDENT_INTERNAL_ERR, /* Internal library error. */
+ IDENT_NO_MUTUAL_AUTH, /* No mutual authentication given. */
+ IDENT_MUTUAL_AUTH_FAIL, /* Mutual authentication failed. */
+ IDENT_SYSTEM_ERROR, /* Some internal system error (see errno). */
+ IDENT_FLAG_NOT_SUPPORTED, /* Authentication flag not supported. */
+ IDENT_INVALID_FLAG_VALUE, /* Invalid authentication flag value. */
+ IDENT_TIMEOUT, /* Timeout in library functions. */
+
+ IDENT_MAX_ERROR /* Fencepost value. */
};
-/** A table mapping enum id_codes codes to text strings. */
+/* A table mapping enum id_codes codes to text strings. */
extern const char *ident_err_txt[];
-/** A table listing all authentication flags supported by KERBEROS_V4. */
+/* A table listing all authentication flags supported by KERBEROS_V4. */
extern const char *ident_krb_auth_flags[];
-/** Low-level struct underlying an open ident connection. */
+/* Low-level struct underlying an open ident connection. */
typedef struct {
int fd;
char buf[IDENT_BUFFER_SIZE];
} ident_t;
-/** High-level struct encapsulating all the protocol data. */
+/* High-level struct encapsulating all the protocol data. */
typedef struct {
- int resp_port; /**< Responder port. */
- int req_port; /**< Requester port (i.e. us). */
- char *identifier; /**< Identification string. */
- char *opsys; /**< Operating system. */
- char *charset; /**< Character set (what did you expect?). */
- int result_code; /**< Result code from internal routines. */
- time_t expires; /**< Expiration of authenticating ticket. */
- char *principal; /**< Principal in local realm. */
+ int resp_port; /* Responder port. */
+ int req_port; /* Requester port (i.e. us). */
+ char *identifier; /* Identification string. */
+ char *opsys; /* Operating system. */
+ char *charset; /* Character set (what did you expect?). */
+ int result_code; /* Result code from internal routines. */
+ time_t expires; /* Expiration of authenticating ticket. */
+ char *principal; /* Principal in local realm. */
} IDENT;
-/** Internal structure containing requester information. */
+
+/* HIGH-LEVEL CALLS */
+
+
+/* The simplest of the lookup calls. Assumes that fd points to an open
+ network connection and does an ident callback to the system on the other
+ end, asking for the identity of the user opening that connection. Returns
+ only the identity string in newly allocated memory. timeout specifies the
+ timout in seconds. If the protocol failed or the user could not be
+ authenticated, returns NULL. */
+extern char *ident_id(int fd, int timeout);
+
+/* Like ident_id, but returns a full IDENT struct rather than just the
+ identity information. The struct is returned even in the event of an error
+ on the remote side, so the error can be diagnosed more completely. Returns
+ NULL if something fundamental goes wrong, in which case errno should be set
+ appropriately. */
+extern IDENT *ident_lookup(int fd, int timeout);
+
+/* Like ident_lookup(), but rather than just taking the file descriptor of an
+ open network connection, takes the local and remote address and local and
+ remote ports instead. This is the most complete of the ident lookup
+ functions and can be used to authenticate other open connections on the
+ same system provided that the local and remote ports are known. Returns
+ an IDENT struct unless something fundamental goes wrong, in which case
+ errno should be set appropriately. */
+extern IDENT *ident_query (struct in_addr *laddr, struct in_addr *raddr,
+ int resp_port, int req_port, int timeout);
+
+/* Frees the IDENT struct returned by ident_lookup or ident_query, including
+ all data contained in it. */
+extern void ident_free(IDENT *);
+
+/* Sets the type of authentication to request of the remote system. Currently
+ there are only three supported values: KERBEROS_V4, GSSAPI, and TRIVIAL.
+ TRIVIAL is the same as the normal ident protocol.
+
+ The second parameter is type-specific initialization data. For
+ KERBEROS_V4, this should be the full path to the srvtab file that contains
+ the key for the ident.hostname Kerberos principal. Neither TRIVIAL nor
+ GSSAPI take any data.
+
+ Returns IDENT_AUTH_OKAY on success and IDENT_AUTH_NOT_SUPPORTED on
+ failure. */
+extern int ident_set_authtype(char *auth_type, void *auth_init_data);
+
+/* The S/Ident protocol supports flags that can be set in the initial
+ authentication request. This call sets a flag that will be passed to
+ future ident requests. ident_set_authtype must be called before this call
+ can be used.
+
+ Currently, the only supported flag is "USER-INTERACTION" with possible
+ values "YES" or "NO", indicating whether the S/Ident server should attempt,
+ when possible, to bring up a dialog box to authenticate the user if they
+ are not already authenticated.
+
+ Returns IDENT_AUTH_OKAY on success, IDENT_FLAG_NOT_SUPPORTED if the flag
+ isn't recognized, and IDENT_INVALID_FLAG_VALUE if the value given isn't one
+ of the valid values for that flag. */
+extern int ident_set_authflag(char *flag, char *value);
+
+/* Returns the value of a flag set by ident_set_authflag. As with that
+ function, ident_set_authtype must be called before this function. The
+ value returned in value points to internal memory and should not be
+ manipulated.
+
+ Returns IDENT_AUTH_OKAY if the flag is valid or IDENT_FLAG_NOT_SUPPORTED if
+ it is not a recognized flag or if it isn't set. */
+extern int ident_get_authflag(char *flag, char **value);
+
+/* Interogates the error string returned from the responder for a given flag
+ and corresponding value. The two currently defined flags are CAPABILITIES
+ and AUTH-MECH. See the S/Ident draft for the corresponding values. The
+ responder uses the extended error codes to allow the requester to attempt
+ to reformulate its call in an attempt to complete a successful transaction.
+ This can be used to negotiate authentication methods, as well as to
+ distinguish between responders capable of user interaction and those that
+ are not capable.
+
+ It takes a keyword to search for, the value that keyword should have, and
+ the IDENT structure representing the error response. It returns
+ IDENT_AUTH_OKAY if that flag/value pair is found and IDENT_AUTH_FAIL if it
+ is not. */
+extern int ident_query_error(char *keyword, char *value, IDENT *ident);
+
+
+/* LOW-LEVEL CALLS AND MACROS */
+
+
+/* These calls are no longer supported and will probably be removed in the
+ future in favor of a more complete high-level interface. */
+
+/* A macro that takes an ident_t handle and returns the actual socket file
+ descriptor used for the connection to the remote server. */
+#define id_fileno(id) ((id)->fd)
+
+/* Opens a connection to the remote ident server referred to by faddr. The
+ timeout is specified by timeout. Returns a pointer to an ident_t datum,
+ which is an opaque structure to be used as future reference to the opened
+ connection.
+
+ timeout is a pointer to a timeval struct indicating how long to wait for a
+ response; NULL means wait indefinitely, while a zero-valued timeval struct
+ will cause id_open to return if the connection cannot be completed
+ immediately. Specifying a timeout will put the socket in non-blocking
+ mode.
+
+ Returns a valid ident_t on success or NULL on failure. */
+extern ident_t *id_open(struct in_addr *laddr, struct in_addr *faddr,
+ struct timeval *timeout);
+
+/* Allocate and initialize an ident_auth_client_data struct. */
+extern struct ident_auth_client_data *
+ id_auth_init(struct ident_auth_client_data *auth_data);
+
+/* Close an ident connection opened with id_open and free all data associated
+ with it. Returns 0 on success, non_zero on failure. errno will be set on
+ failure. */
+extern int id_close(ident_t *id);
+
+/* Sends off a query to a remote ident server. resp_port and req_port
+ are sent to the server to identify the connection for which identification
+ is needed. timeout is given as for id_open. auth_data specifies the
+ authentication protocol to use.
+
+ Returns the number of bytes sent to the remote server on success, -1 on
+ failure. On failure, errno is set. */
+
+/* Parses the reply to a query sent off by id_query() and returns information
+ to the locations pointed to by resp_port, req_port, identifier, opsys, and
+ charset. For string data (identifier, opsys, and charset) pointers to
+ allocated space are returned. The caller is responsible for freeing.
+
+ Returns one of the following codes:
+
+ -3 Illegal reply type from remote server. identifier is set to the
+ illegal reply.
+
+ -2 Cannot parse the reply from the server. identifier is normally set to
+ the illegal reply, unless it could not be saved.
+
+ -1 Some other general error or timeout.
+
+ 0 Non-blocking mode is set (a timeout was specified) and id_parse has not
+ finished parsing the reply from the server.
+
+ 1 Complete success.
+
+ 2 The query and reply (the basic protocol) were successful, but the
+ remote site experienced some error. identifier is set to the error
+ message from the remote server. */
+extern int id_parse(ident_t *id, struct timeval *timeout,
+ int *resp_port, int *req_port,
+ char **identifier, char **opsys, char **charset,
+ struct ident_auth_client_data *auth_data);
+
+
+/* INTERNAL DEFINITIONS */
+
+
+/* Everything below this point is strictly for the internal use of the S/Ident
+ daemon and library and should not be used by clients. It will all
+ eventually move out of this file. */
+
+/* Maximum length of an authenticator. */
+#define MAX_AUTH_LEN 4096
+
+/* Minimum length of an authenticator. */
+#define MIN_AUTH_LEN 80
+
+/* Maximum length of an identifier. Should be the same as MAX_K_NAME_SZ in
+ krb.h, but we don't want to depend on krb.h. */
+#define MAX_AUTH_NAME 123
+
+/* Bit to determine if mutual authentication is needed. */
+#define MUTUAL_AUTH_BIT 0x01
+
+/* Internal structure containing requester information. */
struct ident_auth_client_data {
- /** Authenticated identity. */
+ /* Authenticated identity. */
char user_ident[MAX_AUTH_NAME];
- /** Authenticated identity in local realm, if available. */
+ /* Authenticated identity in local realm, if available. */
char user_principal[MAX_AUTH_NAME];
- /** Authentication data from the network. */
+ /* Authentication data from the network. */
char authenticate_data[MAX_AUTH_LEN];
- int requester_port; /**< Port of connection on requester. */
- int responder_port; /**< Port of connection on responder. */
- int fd; /**< File descriptor of connection. */
- struct timeval *timeout; /**< I/O timeout in seconds. */
- time_t expires; /**< Expiration of authenticating ticket. */
-
- /** Local IP address. */
- struct in_addr *local_addr;
+ int requester_port; /* Port of connection on requester. */
+ int responder_port; /* Port of connection on responder. */
+ int fd; /* File descriptor of connection. */
+ struct timeval *timeout; /* I/O timeout in seconds. */
+ time_t expires; /* Expiration of authenticating ticket. */
+ struct in_addr *local_addr; /* Local IP address. */
+ struct in_addr *remote_addr; /* Remote IP address. */
- /** Remote IP address. */
- struct in_addr *remote_addr;
-
- /** Pointer to authentication methods. */
+ /* Pointer to authentication methods. */
struct ident_requester_auth *auth_struct;
- /** Pointer to method-specific data used for authentication. */
+ /* Pointer to method-specific data used for authentication. */
void *auth_method_data;
};
-/** Internal structure containing responder information. */
+/* Internal structure containing responder information. */
struct ident_auth_data {
- FILE *fp; /**< Input stream. */
- char *port_data; /**< Points to port data part of auth_line. */
- char *cmd_data; /**< Points to command part of line. */
- char *authenticate_data; /**< Points to AUTHENTICATE part of line. */
- int uid; /**< UID of process. */
- int pid; /**< PID of process. */
-
- /** Pointer to authentication methods. */
+ FILE *fp; /* Input stream. */
+ char *port_data; /* Points to port data part of auth_line. */
+ char *cmd_data; /* Points to command part of line. */
+ char *authenticate_data; /* Points to AUTHENTICATE part of line. */
+ int uid; /* UID of process. */
+ int pid; /* PID of process. */
+
+ /* Pointer to authentication methods. */
struct ident_responder_auth *auth_struct;
- int local_port; /**< Local port of connection. */
- int remote_port; /**< Remote port of connection. */
-
- /** Local IP address. */
- struct in_addr *local_addr;
-
- /** Remote IP address. */
- struct in_addr *remote_addr;
+ int local_port; /* Local port of connection. */
+ int remote_port; /* Remote port of connection. */
+ struct in_addr *local_addr; /* Local IP address. */
+ struct in_addr *remote_addr; /* Remote IP address. */
- /** Pointer to method-specific data used for authentication. */
+ /* Pointer to method-specific data used for authentication. */
void *auth_method_data;
};
-/** Internal structure detailing how to do requester authentication. */
+/* Internal structure detailing how to do requester authentication. */
struct ident_requester_auth {
- char *auth_method; /**< Name of authentication mechanism. */
- char *response; /**< Response from server. */
- void *auth_method_init; /**< Type-specific data (e.g. srvtab name). */
- char *auth_flags; /**< Char string of requester flags. */
+ char *auth_method; /* Name of authentication mechanism. */
+ char *response; /* Response from server. */
+ void *auth_method_init; /* Type-specific data (e.g. srvtab name). */
+ char *auth_flags; /* Char string of requester flags. */
- /** Start a responder->requester authentication. */
+ /* Start a responder->requester authentication. */
char *(*start)(struct ident_auth_client_data *);
- /** Do an authentication protocol exchange. */
+ /* Do an authentication protocol exchange. */
int (*auth)(struct ident_auth_client_data *);
- /** Free an authentication state structure. */
+ /* Free an authentication state structure. */
void (*free_state)(void *);
- /** Set an authentication flag value. */
+ /* Set an authentication flag value. */
int (*set_flag)(char *flag, char *value);
- /** Get the value of an authentication flag. */
+ /* Get the value of an authentication flag. */
int (*get_flag)(char *flag, char **value);
};
-/** Internal structure detailing how to do responder authentication. */
+/* Internal structure detailing how to do responder authentication. */
struct ident_responder_auth {
- char *auth_method; /**< Name of authentication mechanism. */
+ char *auth_method; /* Name of authentication mechanism. */
- /** Start a responder->requester authentication. */
+ /* Start a responder->requester authentication. */
int (*start)(struct ident_auth_data *);
- /** Do an authentication protocol exchange. */
+ /* Do an authentication protocol exchange. */
int (*auth)(struct ident_auth_data *);
- /** Free an authentication state structure. */
+ /* Free an authentication state structure. */
void (*free_state)(void *);
};
-
-/* HIGH-LEVEL CALLS */
-
-
-/** Performs an ident query to identify the user on the other end of @a fd.
- *
- * The simplest of the lookup calls. Assumes that @a fd points to an open
- * network connection and does an ident callback to the system on the other
- * end, asking for the identity of the user opening that connection. Returns
- * only the identity string in newly allocated memory.
- *
- * @param fd File descriptor of open network connection to authenticate.
- * @param timeout Timeout in seconds. 0 means block until TCP times out.
- * @return The user identity in newly allocated memory, or NULL if the
- * protocol failed or the user could not be authenticated.
- */
-extern char *ident_id(int fd, int timeout);
-
-/** Performs a full ident query for the user on the other end of @a fd.
- *
- * Like ident_id(), but returns a full #IDENT struct rather than just the
- * identity information. The struct is returned even in the event of an error
- * on the remote side, so the error can be diagnosed more completely.
- *
- * @param fd File descriptor of open network connection to authenticate.
- * @param timeout Timeout in seconds. 0 means block until TCP times out.
- * @return An #IDENT struct in newly allocated memory, or NULL on basic
- * errors. If NULL is returned, errno will generally be set to something
- * appropriate.
- */
-extern IDENT *ident_lookup(int fd, int timeout);
-
-/** Performs a full ident query.
- *
- * Like ident_lookup(), but rather than just taking the file descriptor of an
- * open network connection, takes the local and remote address and local and
- * remote ports instead. This is the most complete of the ident lookup
- * functions and can be used to authenticate other open connections on the
- * same system provided that the local and remote ports are known.
- *
- * @param laddr Local address.
- * @param raddr Remote address.
- * @param resp_port Port of the connection on the remote system.
- * @param req_port Port of the connection on the local system.
- * @param timeout Timeout in seconds. 0 means block until TCP times out.
- * @return An #IDENT struct in newly allocated memory, or NULL on basic
- * errors. If NULL is returned, errno will generally be set to something
- * appropriate.
- */
-extern IDENT *ident_query (struct in_addr *laddr, struct in_addr *raddr,
- int resp_port, int req_port, int timeout);
-/** Frees allocated ident data.
- *
- * Frees the #IDENT struct returned by ident_lookup() or ident_query(),
- * including all data contained in it.
- *
- * @param id #IDENT struct to free.
- */
-extern void ident_free(IDENT *id);
-
-/** Set the type of ident authentication to use.
- *
- * Sets the type of authentication to request of the remote system. Currently
- * there are only two supported values, "KERBEROS_V4" and "TRIVIAL". There
- * are placeholders in the code for other values, such as GSS-API, but they
- * are not implemented. "TRIVIAL" is the same as the normal ident protocol.
- *
- * @param auth_type Type of authentication ("KERBEROS_V4" or "TRIVIAL").
- * @param auth_init_data Type-specific initialization data. For KERBEROS_V4,
- * this should be the full path to the srvtab file that contains the key for
- * the ident.<i>hostname</i> Kerberos principal. TRIVIAL needs no data.
- * @return #IDENT_AUTH_OKAY on success and #IDENT_AUTH_NOT_SUPPORTED on
- * failure.
- */
-extern int ident_set_authtype(char *auth_type, void *auth_init_data);
-
-/** Set a flag in the authentication request.
- *
- * The S/Ident protocol supports flags that can be set in the initial
- * authentication request. This call sets a flag that will be passed to
- * future ident requests. ident_set_authtype() must be called before this
- * call can be used.
- *
- * Currently, the only supported flag is "USER-INTERACTION" with possible
- * values "YES" or "NO", indicating whether the S/Ident server should attempt,
- * when possible, to bring up a dialog box to authenticate the user if they
- * are not already authenticated.
- *
- * @param flag The flag to set.
- * @param value The value to set it to.
- * @return #IDENT_AUTH_OKAY on success, #IDENT_FLAG_NOT_SUPPORTED if the flag
- * isn't recognized, and #IDENT_INVALID_FLAG_VALUE if the value given isn't
- * one of the valid values for that flag.
- */
-extern int ident_set_authflag(char *flag, char *value);
-
-/** Get the value of a flag.
- *
- * Returns the value of a flag set by ident_set_authflag(). As with that
- * function, ident_set_authtype() must be called before this function. The
- * value returned in @a value points to internal memory and should not be
- * manipulated.
- *
- * @param flag The flag to query.
- * @param value Where to store a pointer to its value. Will be set to the
- * value of the flag if the flag is set or to NULL if it is not.
- * @return #IDENT_AUTH_OKAY if the flag is valid, or #IDENT_FLAG_NOT_SUPPORTED
- * if it is not a recognized flag.
- */
-extern int ident_get_authflag(char *flag, char **value);
-
-/** Interrogates the error string returned by a responder.
- *
- * Interogates the error string returned from the responder for a given flag
- * and corresponding value. The two currently defined flags are CAPABILITIES
- * and AUTH-MECH. See the RFC for the corresponding values. The responder
- * uses the extended error codes to allow the requester to attempt to
- * reformulate its call in an attempt to complete a successful transaction.
- * Currently, this can be used to distinguish between responders capable of
- * user interaction and those not capable. In the future this mechanism may
- * be used to negotiate authentication methods.
- *
- * @param keyword Flag to search the error string for.
- * @param value Value that this keyword should have.
- * @param ident The #IDENT structure representing the error response.
- * @return #IDENT_AUTH_OKAY if that flag/value pair is found and
- * #IDENT_AUTH_FAIL if it is not.
- */
-extern int ident_query_error(char *keyword, char *value, IDENT *ident);
-
-
-/* LOW-LEVEL CALLS AND MACROS */
-
-
-/** Return the file descriptor of an ident connection.
- *
- * A macro that takes an #ident_t handle and returns the actual socket file
- * descriptor used for the connection to the remote server.
- *
- * @param id An #ident_t struct created by id_open().
- * @return The underlying file descriptor.
- */
-#define id_fileno(id) ((id)->fd)
-
-/** Open a new ident connection.
- *
- * Opens a connection to the remote IDENT server referred to by @a faddr. The
- * timeout is specified by @a timeout. Returns a pointer to an ident_t datum,
- * which is an opaque structure to be used as future reference to the opened
- * connection.
- *
- * @param laddr Local address.
- * @param faddr Server address.
- * @param timeout How long to wait for a response. NULL means wait
- * indefinitely, while a pointer to a zero-valued timeval struct sets
- * non-blocking I/O in the same way as for select(2).
- * @return A valid #ident_t on success or NULL on failure.
- */
-extern ident_t *id_open(struct in_addr *laddr, struct in_addr *faddr,
- struct timeval *timeout);
-
-/** Initialize an #ident_auth_client_data struct.
- *
- * @param auth_data Ignored.
- * @return A newly allocated #ident_auth_client_data struct.
- */
-extern struct ident_auth_client_data *
- id_auth_init(struct ident_auth_client_data *auth_data);
-
-/** Close an open ident connection.
- *
- * Closes the connection opened with id_open() and frees all data associated
- * with @a id.
- *
- * @param id Connection to free.
- * @return 0 on success, non-zero on failure. errno will be set on failure.
- */
-extern int id_close(ident_t *id);
-
-/** Send query to remote ident server.
- *
- * Sends off a query to a remote ident server. @a resp_port and @a req_port
- * are sent to the server to identify the connection for which identification
- * is needed. @a timeout is given as for id_open().
- *
- * @param id Pointer to open ident connection from id_open().
- * @param resp_port Port of the connection on the remote system.
- * @param req_port Port of the connection on the local system.
- * @param timeout Timeout as per id_open().
- * @param auth_data Authentication data struct specifying the authentication
- * protocol to use.
- * @return Returns the number of bytes sent to the remote server on success,
- * or -1 on failure. On failure, errno is set.
- */
-extern int id_query(ident_t *id, int resp_port, int req_port,
- struct timeval *timeout,
- struct ident_auth_client_data *auth_data);
-
-/** Parse the reply to an ident query.
- *
- * Parses the reply to a query sent off by id_query() and returns information
- * to the locations pointed to by @a resp_port, @a req_port, @a identifier, @a
- * opsys, and @a charset. For string data (@a identifier, @a opsys, and @a
- * charset) pointers to allocated space are returned. The caller is
- * responsible for freeing.
- *
- * @param id Pointer to open ident connection from id_open().
- * @param resp_port Port of the connection on the remote system.
- * @param req_port Port of the connection on the local system.
- * @param identifier User identity.
- * @param opsys Operating system of ident server.
- * @param charset Character set of returned information.
- * @param auth_data Authentication data struct specifying the authentication
- * protocol to use.
- * @return Returns 1 on success, and in general:
- * <dl>
- * <dt>-3</dt>
- * <dd>Illegal reply type from remote server. @a identifier is set to
- * the illegal reply.</dd>
- *
- * <dt>-2</dt>
- * <dd>Cannot parse the reply from the server. @a identifier is normally
- * set to the illegal reply.</dd>
- *
- * <dt>-1</dt>
- * <dd>Some other general error or timeout.</dd>
- *
- * <dt>0</dt>
- * <dd>Non-blocking mode is set and id_parse() has not finished parsing the
- * reply from the server.</dd>
- *
- * <dt>1</dt>
- * <dd>Complete success.</dd>
- *
- * <dt>2</dt>
- * <dd>The query and reply (the protocol) was successful, but the remote
- * site experienced some error. @a identifier is set to the error
- * message from the remote server.</dd>
- * </dl>
- */
-extern int id_parse(ident_t *id, struct timeval *timeout,
- int *resp_port, int *req_port,
- char **identifier, char **opsys, char **charset,
- struct ident_auth_client_data *auth_data);
-
END_DECLS
#endif /* SIDENT_H */
-/** @file
- * GSS-API implementation for responder.
- *
- * This file contains the responder portion of a GSS-API S/Ident protocol
- * implementation. As written, it only supports Kerberos v5.
- *
- * @author Russ Allbery <rra@stanford.edu>
- * @date 2002
- *
- * $Id$
- */
+/* $Id$
+**
+** GSS-API implementation for an S/Ident responder.
+**
+** Written by Russ Allbery <rra@stanford.edu>
+**
+** This file contains the responder portion of a GSS-API S/Ident protocol
+** implementation. As written, it only supports Kerberos v5. It supports
+** both the Heimdal and MIT Kerberos implementations.
+*/
#include <ctype.h>
#include <dirent.h>
extern int parse_auth_line();
extern char *sfgets();
-/** The steps of the authentication exchange. */
+/* The steps of the authentication exchange. */
enum gssapi_step {
- STEP_ERROR = -1, /**< An error has occurred. */
- STEP_CONTEXT, /**< Need to establish a context. */
- STEP_FINAL, /**< Need to send the authenticator. */
- STEP_DONE /**< Completed the exchange. */
+ STEP_ERROR = -1, /* An error has occurred. */
+ STEP_CONTEXT, /* Need to establish a context. */
+ STEP_FINAL, /* Need to send the authenticator. */
+ STEP_DONE /* Completed the exchange. */
};
-/** Holds the current GSS-API authentication exchange state. */
+/* Holds the current GSS-API authentication exchange state. */
struct gssapi_state {
- enum gssapi_step step; /**< Step of the authentication exchange. */
- char *service; /**< GSS-API ASCII name of requester. */
- gss_name_t service_name; /**< GSS-API internal name of requester. */
- gss_ctx_id_t context; /**< GSS-API context with requester. */
+ enum gssapi_step step; /* Step of the authentication exchange. */
+ char *service; /* GSS-API ASCII name of requester. */
+ gss_name_t service_name; /* GSS-API internal name of requester. */
+ gss_ctx_id_t context; /* GSS-API context with requester. */
};
-/** Lowercase a string in place.
- *
- * @param string The string to lowercase.
- */
+
+/*
+** Lowercase a string in place.
+*/
static void
lowercase(char *string)
{
*p = tolower((unsigned char) *p);
}
-/** Show the GSS-API error message for a particular type of status.
- *
- * @param prefix String prefix to put in front of printed messages.
- * @param code Return code of the failure.
- * @param type The type of the code.
- */
+
+/*
+** Show the GSS-API error message for a particular type of status. prefix is
+** prepended to any printed error messages.
+*/
static void
debug_show_status_type(const char *prefix, OM_uint32 code, int type)
{
}
}
-/** Show the GSS-API error message of a failure.
- *
- * @param prefix String prefix to put in front of printed messages.
- * @param maj_stat Return code of the failing GSS-API function.
- * @param min_stat Mechanism status of the failing GSS-API function.
- */
+
+/*
+** Show the GSS-API error message of a failure. prefix is prepended to any
+** printed error messages, and the other two arguments should be the return
+** code and mechanism status of the failing GSS-API function, respectively.
+*/
static void
debug_show_status(const char *prefix, OM_uint32 maj_stat, OM_uint32 min_stat)
{
debug_show_status_type(prefix, min_stat, GSS_C_MECH_CODE);
}
-/** Given a file, make sure it looks like a ticket.
- *
- * Ideally we would open the ticket cache and make sure that it's not expired,
- * but that's a bit more than I know how to do yet. So just make some basic
- * checks of reasonableness.
- *
- * @param filename The candidate ticket cache.
- * @param uid The UID of the user for which we're trying to find a cache.
- * @return True if it looks like a cache, false otherwise.
- */
+
+/*
+** Given a file, make sure it looks like a ticket. Ideally we would open
+** the ticket cache and make sure that it's not expired, but that's a bit
+** more than I know how to do yet. So just make some basic checks of
+** reasonableness. Takes the file name and the UID whose ticket we're
+** looking for and returns true if it looks like a ticket.
+*/
static int
gssapi_ticket_check(const char *filename, uid_t uid)
{
return 1;
}
-/** Find a ticket cache for a given user.
- *
- * Saves the path to the ticket file in the KRB5CCNAME environment variable
- * where it can be picked up by the GSS-API library calls. Since the MIT
- * Kerberos v5 libraries also require that the current UID match the owner of
- * the ticket file, also call seteuid() to the user for which we're obtaining
- * credentials.
- *
- * @param auth_data Accumulated authentication data.
- * @return An error code if a ticket couldn't be found or #IDENT_AUTH_OKAY.
- */
+
+/*
+** Find a ticket cache for a given user. If one is found, saves the path to
+** the ticket file in the KRB5CCNAME environment variable where it can be
+** picked up by the GSS-API library calls. Returns IDENT_AUTH_OKAY on
+** success, otherwise an error code to pass along to the requester.
+*/
static int
gssapi_ticket_find(struct ident_auth_data *auth_data)
{
continue;
sprintf(filename, "/tmp/%s", file->d_name);
if (gssapi_ticket_check(filename, auth_data->uid)) {
- if (seteuid(auth_data->uid) != 0)
- return IDENT_SYSTEM_ERROR;
env = malloc(strlen("KRB5CCNAME=") + strlen(filename) + 1);
if (env == NULL)
return IDENT_SYSTEM_ERROR;
return IDENT_USER_CANT_AUTH;
}
-/** Start the responder side of the authentication exchange.
- *
- * @param auth_data Accumulated authentication data.
- * @return An error code or #IDENT_AUTH_OKAY.
- */
+
+/*
+** Start the responder side of the authentication exchange. Returns an error
+** code or IDENT_AUTH_OKAY.
+*/
int
gssapi_responder_start(struct ident_auth_data *auth_data)
{
return IDENT_AUTH_OKAY;
}
-/** Send a token to the requester.
- *
- * @param auth_data Accumulated authentication data.
- * @param token A GSS-API token to send to the requester.
- * @return An error code or #IDENT_AUTH_OKAY
- */
+
+/*
+** Send a single token to the requester, base64-encoding it. Returns an
+** error code or IDENT_AUTH_OKAY.
+*/
static int
gssapi_send_token(struct ident_auth_data *auth_data, gss_buffer_t token)
{
return IDENT_AUTH_OKAY;
}
-/** Receive a token from the requester.
- *
- * @param auth_data Accumulated authentication data.
- * @param token The buffer into which to write the received GSS-API token.
- * @return An error code or #IDENT_AUTH_OKAY
- */
+
+/*
+** Receive a token from the requester. Puts the decoded token into token and
+** returns an error code or IDENT_AUTH_OKAY.
+*/
static int
gssapi_recv_token(struct ident_auth_data *auth_data, gss_buffer_t token)
{
return IDENT_AUTH_OKAY;
}
-/** Establish a GSS-API context with the requester.
- *
- * @param auth_data Accumulated authentication data.
- * @return An error code or #IDENT_AUTH_OKAY.
- */
+
+/*
+** Establish a GSS-API context with the requester. Returns an error code or
+** IDENT_AUTH_OKAY.
+*/
static int
gssapi_responder_context(struct ident_auth_data *auth_data)
{
return (status != 0) ? status : IDENT_AUTH_FAIL;
}
-/** Builds an S/Ident authenticator from the authentication data.
- *
- * The authenticator is stored in newly allocated memory, with a pointer to
- * the authenticator returned in @a auth and its length returned in @a
- * auth_len.
- *
- * @param auth_data Accumulated authentication data.
- * @param auth_len Where to store the length of the authenticator.
- * @param auth Where to store a pointer to the authenticator.
- * @return True on success, false otherwise.
- */
+
+/*
+** Builds an S/Ident authenticator from the authentication data. The
+** authenticator is stored in newly allocated memory, with a pointer to the
+** authenticator returned in auth and its length returned in auth_len.
+** Returns true on success, false otherwise.
+*/
static int
sident_build_authenticator(struct ident_auth_data *auth_data,
size_t *auth_len, char **auth)
return 1;
}
-/** Send the S/Ident authenticator.
- *
- * Called at the conclusion of the authentication exchange, this function
- * accepts a token from the requester and returns the S/Ident authenticator.
- * It concludes the GSS-API S/Ident exchange.
- *
- * @param auth_data Accumulated authentication data.
- * @return An error code or #IDENT_AUTH_OKAY.
- */
+
+/*
+** Send the S/Ident authenticator. This is done at the conclusion of the
+** authentication exchange. This function accepts a token from the requester
+** and returns the S/Ident authenticator. This concludes the GSS-API S/Ident
+** exchange.
+*/
static int
gssapi_responder_sendauth(struct ident_auth_data *auth_data)
{
return status;
}
-/** Perform one step of the authentication exchange.
- *
- * @param auth_data Accumulated authentication data.
- * @return An error code or #IDENT_AUTH_OKAY.
- */
+
+/*
+** Perform the authentication exchange. This is the high-level function that
+** calls the other functions specified in this file in order to complete an
+** authentication exchange with the remote system.
+*/
int
gssapi_responder_auth(struct ident_auth_data *auth_data)
{
return IDENT_SYSTEM_ERROR;
}
-/** Free GSS-API-specific responder state.
- *
- * @param state Private state to free.
- */
+
+/*
+** Free GSS-API-specific responder state.
+*/
void
gssapi_free_state(void *state)
{
-/** @file
- * SASL-based authentication mechanisms for identd.
- *
- * @author Booker Bense <bbense@stanford.edu>
- * @date 1996-08-28
- *
- * $Id$
- *
- * Much of this code was originally taken from acte_krb.c in the Cyrus IMAP
- * distribution. At the time, the copyright and license statement was as
- * follows:
- *
- * (C) Copyright 1994 by Carnegie Mellon University
- *
- * All Rights Reserved
- *
- * Permission to use, copy, modify, distribute, and sell this software and its
- * documentation for any purpose is hereby granted without fee, provided that
- * the above copyright notice appear in all copies and that both that
- * copyright notice and this permission notice appear in supporting
- * documentation, and that the name of Carnegie Mellon University not be used
- * in advertising or publicity pertaining to distribution of the software
- * without specific, written prior permission. Carnegie Mellon University
- * makes no representations about the suitability of this software for any
- * purpose. It is provided "as is" without express or implied warranty.
- *
- * CARNEGIE MELLON UNIVERSITY DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS
- * SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS,
- * IN NO EVENT SHALL CARNEGIE MELLON UNIVERSITY BE LIABLE FOR ANY SPECIAL,
- * INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- * PERFORMANCE OF THIS SOFTWARE.
- */
+/* $Id$
+**
+** SASL-based authentication mechanisms for identd.
+**
+** Written by Booker Bense <bbense@stanford.edu>, 1996-08-28
+**
+** This file contains the core parsing routines for the S/Ident extensions as
+** well as the implementation of Kerberos authentication for Kerberos v4.
+** Much of this code was originally taken from acte_krb.c in the Cyrus IMAP
+** distribution. At the time, the copyright and license statement was as
+** follows:
+**
+** (C) Copyright 1994 by Carnegie Mellon University
+**
+** All Rights Reserved
+**
+** Permission to use, copy, modify, distribute, and sell this software and
+** its documentation for any purpose is hereby granted without fee, provided
+** that the above copyright notice appear in all copies and that both that
+** copyright notice and this permission notice appear in supporting
+** documentation, and that the name of Carnegie Mellon University not be used
+** in advertising or publicity pertaining to distribution of the software
+** without specific, written prior permission. Carnegie Mellon University
+** makes no representations about the suitability of this software for any
+** purpose. It is provided "as is" without express or implied warranty.
+**
+** CARNEGIE MELLON UNIVERSITY DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS
+** SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS,
+** IN NO EVENT SHALL CARNEGIE MELLON UNIVERSITY BE LIABLE FOR ANY SPECIAL,
+** INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+** LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+** OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+** PERFORMANCE OF THIS SOFTWARE.
+*/
#include "config.h"
&krb_ident_auth, &gssapi_ident_auth, &otp_ident_auth, &trivial_ident_auth
};
-/** Given a line from a requester, find the requested auth type.
- *
- * If the line is NULL, assume the trivial (traditional) method. Otherwise,
- * find a case-sensitive match for the authentication method given in the
- * table of acceptable authentication methods. Set auth_struct to the struct
- * for the one found.
- *
- * @param line The input from the requester.
- * @param auth_struct Set to the struct corresponding to the desired method.
- * @return An error code or #IDENT_AUTH_OKAY.
- */
+/*
+** Given a line from a requester, find the requested auth type. If the line
+** is NULL, assume the trivial (traditional) method. Otherwise, find a
+** case-sensitive match for the authentication method given in the table of
+** acceptable authentication methods. Set auth_struct to the struct for the
+** one found. Returns an error code or IDENT_AUTH_OKAY.
+*/
int
parse_auth(char *line, struct ident_responder_auth **auth_struct)
{
};
#define CHAR64(c) (index_64[(unsigned char)(c)])
-/** Decode in-place a buffer encoded in base64.
- *
- * @param input The buffer containing base64 data to decode.
- * @return Length of the decoded data, or -1 on error.
- */
+/*
+** Decode in-place a buffer encoded in base64. Returns the length of the
+** decoded data or -1 on an error.
+*/
int
ident_decodebase64(char *input)
{
return len;
}
-/** Encode data into base64.
- *
- * The output buffer must be long enough to hold the encoded input.
- *
- * @param input Data to encode.
- * @param output Buffer into which to write the encoded data.
- * @param len The length of the input (not the size of the output buffer).
- */
+/*
+** Encode data into base64. Takes the input buffer, the output buffer, and
+** the length of the data in the input buffer. The output buffer must be
+** long enough to hold the encoded input.
+*/
void
ident_writebase64(char *input, char *output, int len)
{
char realm[REALM_SZ];
};
-/** Free the space used by the opaque mechanism state pointer.
- *
- * @param state Pointer to free.
- */
+/*
+** Free the space used by the opaque mechanism state pointer.
+*/
static void
krb_free_state(void *state)
{
free(state);
}
-/** Check whether a file is a valid ticket for our user of interest.
- *
- * @param tf_name The name of the file to check.
- * @param auth_data Data about the authentication we're attempting.
- * @return Returns a Kerberos status code (KSUCCESS on success).
- */
+/*
+** Check whether a file is a valid ticket for our user of interest. Returns
+** a Kerberos status code (KSUCCESS on success).
+*/
static int
krb_is_ticket(char *tf_name, struct ident_auth_data *auth_data)
{
return KSUCCESS;
}
-/** Find a valid ticket for the user in /tmp.
- *
- * @param tktstring Buffer that will hold the path to the ticket file.
- * @param auth_data Data about the authentication we're attempting.
- * @return An error code or #IDENT_AUTH_OKAY.
- */
+/*
+** Find a valid ticket for the user in /tmp. tktstring will have the path to
+** the ticket file filled in and must point to a buffer at least MAXPATHLEN
+** long. Returns an error code or IDENT_AUTH_OKAY.
+*/
static int
krb_find_ticket(char *tktstring, struct ident_auth_data *auth_data)
{
return IDENT_USER_CANT_AUTH;
}
-/** Start the responder side of an authentication exchange.
- *
- * This function doesn't send any data to the remote system. It just makes
- * sure that we have a ticket file for the user and obtains the needed service
- * ticket that we'll use later on.
- *
- * @param auth_data Data about the authentication we're attempting.
- * @return An error code or #IDENT_AUTH_OKAY.
- */
+/*
+** Start the responder side of an authentication exchange. This function
+** doesn't send any data to the remote system. It just makes sure that we
+** have a ticket file for the user and obtains the needed service ticket that
+** we'll use later on. Returns an error code or IDENT_AUTH_OKAY.
+*/
static int
krb_responder_start(struct ident_auth_data *auth_data)
{
return IDENT_AUTH_OKAY;
}
-/** Perform responder-side authentication protocol exchange.
- *
- * This function talks to the remote system, passing along the required
- * Kerberos v4 SASL information. It does mutual authentication if needed and
- * then returns the status of the authentication.
- *
- * @param auth_data Data about the authentication we're attempting.
- * @return An error code or #IDENT_AUTH_OKAY.
- */
+/*
+** Perform responder-side authentication protocol exchange for Kerberos v4.
+** It does mutual authentication if needed and then returns the status of the
+** authentication.
+*/
static int
krb_responder_auth(struct ident_auth_data *auth_data)
{
}
-/** Start traditional ident authentication.
- *
- * Does nothing except retrieve the password file entry for the user UID.
- *
- * @param auth_data Data about the authentication we're attempting.
- * @return An error code or #IDENT_AUTH_OKAY.
- */
+/*
+** Start traditional ident authentication. Does nothing except retrieve the
+** password file entry for the user UID. Returns an error code or
+** IDENT_AUTH_OKAY.
+*/
static int
trivial_responder_start(struct ident_auth_data *auth_data)
{
return IDENT_AUTH_FAIL;
}
-/** Send a traditional ident response.
- *
- * Implements traditional ident. Sends either the username or the UID
- * depending on our flags if trivial authentication is enabled.
- *
- * @param auth_data Data about the authentication we're attempting.
- * @return An error code or #IDENT_AUTH_OKAY.
- */
+/*
+** Send a traditional ident response, either the username or the UID
+** depending on our flags if trivial authentication is enabled. If it's not,
+** returns the appropriate error message. Returns an error code or
+** IDENT_AUTH_OKAY.
+*/
static int
trivial_responder_auth(struct ident_auth_data *auth_data)
{