dpward / rpms / sssd

Forked from rpms/sssd 3 years ago
Clone
Blob Blame History Raw
From b1185573e31f08d4d37ae763b5d7e7f0a37e1244 Mon Sep 17 00:00:00 2001
From: ikerexxe <ipedrosa@redhat.com>
Date: Tue, 5 May 2020 14:40:09 +0200
Subject: [PATCH] ipa_auth and krb5_auth: when providing wrong password return
 PAM_AUTH_ERR

When providing a wrong password for an existing IPA user, return PAM_AUTH_ERR (authentication failure) instead of PAM_CRED_ERR (failure setting user credentials). In order to do that it is necessary to translate PAM_CRED_ERR to PAM_AUTH_ERR once the providers are done.

Resolves:
https://github.com/SSSD/sssd/issues/5139

Reviewed-by: Sumit Bose <sbose@redhat.com>
(cherry picked from commit 49b9ca15866f59d6e3c1b572545d1b9e76625892)
---
 src/providers/ipa/ipa_auth.c   | 16 ++++++++++++++++
 src/providers/krb5/krb5_auth.c |  8 ++++++++
 2 files changed, 24 insertions(+)

diff --git a/src/providers/ipa/ipa_auth.c b/src/providers/ipa/ipa_auth.c
index 1bd017721..2858eb4f5 100644
--- a/src/providers/ipa/ipa_auth.c
+++ b/src/providers/ipa/ipa_auth.c
@@ -271,6 +271,14 @@ static void ipa_pam_auth_handler_krb5_done(struct tevent_req *subreq)
         return;
     }
 
+    /* PAM_CRED_ERR is used to indicate to the IPA provider that trying
+     * password migration would make sense. From this point on it isn't
+     * necessary to keep this status, so it can be translated to PAM_AUTH_ERR.
+     */
+    if (state->pd->pam_status == PAM_CRED_ERR) {
+        state->pd->pam_status = PAM_AUTH_ERR;
+    }
+
 done:
     /* TODO For backward compatibility we always return EOK to DP now. */
     tevent_req_done(req);
@@ -312,6 +320,14 @@ static void ipa_pam_auth_handler_flag_done(struct tevent_req *subreq)
         return;
     }
 
+    /* PAM_CRED_ERR is used to indicate to the IPA provider that trying
+     * password migration would make sense. From this point on it isn't
+     * necessary to keep this status, so it can be translated to PAM_AUTH_ERR.
+     */
+    if (state->pd->pam_status == PAM_CRED_ERR) {
+        state->pd->pam_status = PAM_AUTH_ERR;
+    }
+
 done:
     /* TODO For backward compatibility we always return EOK to DP now. */
     tevent_req_done(req);
diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c
index 9a9250434..6ab39547f 100644
--- a/src/providers/krb5/krb5_auth.c
+++ b/src/providers/krb5/krb5_auth.c
@@ -1293,6 +1293,14 @@ static void krb5_pam_handler_auth_done(struct tevent_req *subreq)
         state->pd->pam_status = PAM_SYSTEM_ERR;
     }
 
+    /* PAM_CRED_ERR is used to indicate to the IPA provider that trying
+     * password migration would make sense. From this point on it isn't
+     * necessary to keep this status, so it can be translated to PAM_AUTH_ERR.
+     */
+    if (state->pd->pam_status == PAM_CRED_ERR) {
+        state->pd->pam_status = PAM_AUTH_ERR;
+    }
+
     /* TODO For backward compatibility we always return EOK to DP now. */
     tevent_req_done(req);
 }
-- 
2.21.1