|
 |
836b22 |
From e7c7092d81fe63a41ca40ec3e2057d0bd17819ed Mon Sep 17 00:00:00 2001
|
|
|
836b22 |
From: Sumit Bose <sbose@redhat.com>
|
|
|
836b22 |
Date: Wed, 3 Jun 2020 20:36:54 +0200
|
|
|
836b22 |
Subject: [PATCH 38/38] pam_sss: special handling for gdm-smartcard
|
|
|
836b22 |
|
|
|
836b22 |
The gdm-smartcard service is special since it is triggered by the
|
|
|
836b22 |
presence of a Smartcard and even in the case of an error it will
|
|
|
836b22 |
immediately try again. To break this loop we should ask for an user
|
|
|
836b22 |
input and asking for a PIN is most straight forward and would show the
|
|
|
836b22 |
same behavior as pam_pkcs11.
|
|
|
836b22 |
|
|
|
836b22 |
Additionally it does not make sense to fall back the a password prompt
|
|
|
836b22 |
for gdm-smartcard so also here a PIN prompt should be shown.
|
|
|
836b22 |
|
|
|
836b22 |
Resolves: https://github.com/SSSD/sssd/issues/5190
|
|
|
836b22 |
|
|
|
836b22 |
(cherry picked with changes from commit 3ed254765fc92e9cc9e4c35335818eaf1256e0d6)
|
|
|
836b22 |
|
|
|
836b22 |
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
|
|
|
836b22 |
---
|
|
|
836b22 |
src/sss_client/pam_sss.c | 16 ++++++++++++----
|
|
|
836b22 |
1 file changed, 12 insertions(+), 4 deletions(-)
|
|
|
836b22 |
|
|
|
836b22 |
diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
|
|
|
836b22 |
index 4dbf1733c..38a75e1b6 100644
|
|
|
836b22 |
--- a/src/sss_client/pam_sss.c
|
|
|
836b22 |
+++ b/src/sss_client/pam_sss.c
|
|
|
836b22 |
@@ -1799,8 +1799,13 @@ static int prompt_sc_pin(pam_handle_t *pamh, struct pam_items *pi)
|
|
|
836b22 |
struct pam_message m[2] = { { 0 }, { 0 } };
|
|
|
836b22 |
struct pam_response *resp = NULL;
|
|
|
836b22 |
struct cert_auth_info *cai = pi->selected_cert;
|
|
|
836b22 |
+ struct cert_auth_info empty_cai = { NULL, NULL, discard_const("Smartcard"),
|
|
|
836b22 |
+ NULL, NULL, NULL, NULL, NULL };
|
|
|
836b22 |
|
|
|
836b22 |
- if (cai == NULL || cai->token_name == NULL || *cai->token_name == '\0') {
|
|
|
836b22 |
+ if (cai == NULL && SERVICE_IS_GDM_SMARTCARD(pi)) {
|
|
|
836b22 |
+ cai = &empty_cai;
|
|
|
836b22 |
+ } else if (cai == NULL || cai->token_name == NULL
|
|
|
836b22 |
+ || *cai->token_name == '\0') {
|
|
|
836b22 |
return EINVAL;
|
|
|
836b22 |
}
|
|
|
836b22 |
|
|
|
836b22 |
@@ -2147,6 +2152,9 @@ static int get_authtok_for_authentication(pam_handle_t *pamh,
|
|
|
836b22 |
}
|
|
|
836b22 |
}
|
|
|
836b22 |
ret = prompt_sc_pin(pamh, pi);
|
|
|
836b22 |
+ } else if (SERVICE_IS_GDM_SMARTCARD(pi)) {
|
|
|
836b22 |
+ /* Use pin prompt as fallback for gdm-smartcard */
|
|
|
836b22 |
+ ret = prompt_sc_pin(pamh, pi);
|
|
|
836b22 |
} else {
|
|
|
836b22 |
ret = prompt_password(pamh, pi, _("Password: "));
|
|
|
836b22 |
}
|
|
|
836b22 |
@@ -2444,7 +2452,7 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh,
|
|
|
836b22 |
{
|
|
|
836b22 |
int ret;
|
|
|
836b22 |
int pam_status;
|
|
|
836b22 |
- struct pam_items pi;
|
|
|
836b22 |
+ struct pam_items pi = { 0 };
|
|
|
836b22 |
uint32_t flags = 0;
|
|
|
836b22 |
const int *exp_data;
|
|
|
836b22 |
int *pw_exp_data;
|
|
|
836b22 |
@@ -2503,7 +2511,8 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh,
|
|
|
836b22 |
/*
|
|
|
836b22 |
* Since we are only interested in the result message
|
|
|
836b22 |
* and will always use password authentication
|
|
|
836b22 |
- * as a fallback, errors can be ignored here.
|
|
|
836b22 |
+ * as a fallback (except for gdm-smartcard),
|
|
|
836b22 |
+ * errors can be ignored here.
|
|
|
836b22 |
*/
|
|
|
836b22 |
}
|
|
|
836b22 |
}
|
|
|
836b22 |
@@ -2512,7 +2521,6 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh,
|
|
|
836b22 |
ret = check_login_token_name(pamh, &pi, quiet_mode);
|
|
|
836b22 |
if (ret != PAM_SUCCESS) {
|
|
|
836b22 |
D(("check_login_token_name failed.\n"));
|
|
|
836b22 |
- return ret;
|
|
|
836b22 |
}
|
|
|
836b22 |
}
|
|
|
836b22 |
|
|
|
836b22 |
--
|
|
|
836b22 |
2.21.1
|
|
|
836b22 |
|