Retry up to 3 times on password authentication failure

Author: Rehan

doas.h

@@ -44,6 +44,8 @@ char **prepenv(const struct rule *, const struct passwd *,
 #define PERSIST		0x4
 #define NOLOG		0x8
 
+#define AUTH_RETRIES	3
+
 #ifdef USE_PAM
 void pamauth(const char *, const char *, int, int, int);
 #endif

pam.c

@@ -286,11 +286,20 @@ pamauth(const char *user, const char *myname, int interactive, int nopass, int p
 		    "\rdoas (%.32s@%.32s) password: ", myname, host);
 
 		/* authenticate */
-		ret = pam_authenticate(pamh, 0);
-		if (ret != PAM_SUCCESS) {
-			pamcleanup(ret, sess, cred);
-			syslog(LOG_AUTHPRIV | LOG_NOTICE, "failed auth for %s", myname);
-			errx(1, "Authentication failed");
+		for (int i = 0; i < AUTH_RETRIES; i++) {
+			ret = pam_authenticate(pamh, 0);
+			if (ret != PAM_SUCCESS) {
+				syslog(LOG_AUTHPRIV | LOG_NOTICE, "failed auth for %s", myname);
+
+				if (i == AUTH_RETRIES - 1) {
+					pamcleanup(ret, sess, cred);
+					errx(1, "Authentication failed");
+				}
+				else
+					warnx("Authentication failed");
+			}
+			else
+				break;
 		}
 	}
 

shadow.c

@@ -80,23 +80,32 @@ shadowauth(const char *myname, int persist)
 	snprintf(cbuf, sizeof(cbuf),
 			"\rdoas (%.32s@%.32s) password: ", myname, host);
 	challenge = cbuf;
-
-	response = readpassphrase(challenge, rbuf, sizeof(rbuf), RPP_REQUIRE_TTY);
-	if (response == NULL && errno == ENOTTY) {
-		syslog(LOG_AUTHPRIV | LOG_NOTICE,
-			"tty required for %s", myname);
-		errx(1, "a tty is required");
-	}
-	if (response == NULL)
-		err(1, "readpassphrase");
-	if ((encrypted = crypt(response, hash)) == NULL) {
+	int success;
+	for (int i = 0; i < AUTH_RETRIES; i++) {
+		success = 1;
+		response = readpassphrase(challenge, rbuf, sizeof(rbuf), RPP_REQUIRE_TTY);
+		if (response == NULL && errno == ENOTTY) {
+			syslog(LOG_AUTHPRIV | LOG_NOTICE,
+				"tty required for %s", myname);
+			errx(1, "a tty is required");
+		}
+		if (response == NULL)
+			err(1, "readpassphrase");
+		if ((encrypted = crypt(response, hash)) == NULL) {
+			explicit_bzero(rbuf, sizeof(rbuf));
+			success = 0;
+		}
 		explicit_bzero(rbuf, sizeof(rbuf));
-		errx(1, "Authentication failed");
-	}
-	explicit_bzero(rbuf, sizeof(rbuf));
-	if (strcmp(encrypted, hash) != 0) {
-		syslog(LOG_AUTHPRIV | LOG_NOTICE, "failed auth for %s", myname);
-		errx(1, "Authentication failed");
+		if (strcmp(encrypted, hash) != 0) {
+			syslog(LOG_AUTHPRIV | LOG_NOTICE, "failed auth for %s", myname);
+			success = 0;
+		}
+		if (success)
+			break;
+		if (i == AUTH_RETRIES - 1)
+			errx(1, "Authentication failed");
+		else
+			warnx("Authentication failed");
 	}
 
 #ifdef USE_TIMESTAMP