dpward / rpms / sssd

Forked from rpms/sssd 3 years ago
Clone
Source Code
GIT

Files

  1.   32a074a6a1a583cdf939a0a4a69682e72065375b
  2.   SOURCES
  3.   0038-pam_sss-special-handling-for-gdm-smartcard.patch
Blob Blame History Raw 
From e7c7092d81fe63a41ca40ec3e2057d0bd17819ed Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Wed, 3 Jun 2020 20:36:54 +0200
Subject: [PATCH 38/38] pam_sss: special handling for gdm-smartcard

The gdm-smartcard service is special since it is triggered by the
presence of a Smartcard and even in the case of an error it will
immediately try again. To break this loop we should ask for an user
input and asking for a PIN is most straight forward and would show the
same behavior as pam_pkcs11.

Additionally it does not make sense to fall back the a password prompt
for gdm-smartcard so also here a PIN prompt should be shown.

Resolves: https://github.com/SSSD/sssd/issues/5190

(cherry picked with changes from commit 3ed254765fc92e9cc9e4c35335818eaf1256e0d6)

Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
---
 src/sss_client/pam_sss.c | 16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)

diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
index 4dbf1733c..38a75e1b6 100644
--- a/src/sss_client/pam_sss.c
+++ b/src/sss_client/pam_sss.c
@@ -1799,8 +1799,13 @@ static int prompt_sc_pin(pam_handle_t *pamh, struct pam_items *pi)
     struct pam_message m[2] = { { 0 }, { 0 } };
     struct pam_response *resp = NULL;
     struct cert_auth_info *cai = pi->selected_cert;
+    struct cert_auth_info empty_cai = { NULL, NULL, discard_const("Smartcard"),
+                                        NULL, NULL, NULL, NULL, NULL };
 
-    if (cai == NULL || cai->token_name == NULL || *cai->token_name == '\0') {
+    if (cai == NULL && SERVICE_IS_GDM_SMARTCARD(pi)) {
+        cai = &empty_cai;
+    } else if (cai == NULL || cai->token_name == NULL
+                    || *cai->token_name == '\0') {
         return EINVAL;
     }
 
@@ -2147,6 +2152,9 @@ static int get_authtok_for_authentication(pam_handle_t *pamh,
                     }
                 }
                 ret = prompt_sc_pin(pamh, pi);
+            } else if (SERVICE_IS_GDM_SMARTCARD(pi)) {
+               /* Use pin prompt as fallback for gdm-smartcard */
+                ret = prompt_sc_pin(pamh, pi);
             } else {
                 ret = prompt_password(pamh, pi, _("Password: "));
             }
@@ -2444,7 +2452,7 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh,
 {
     int ret;
     int pam_status;
-    struct pam_items pi;
+    struct pam_items pi = { 0 };
     uint32_t flags = 0;
     const int *exp_data;
     int *pw_exp_data;
@@ -2503,7 +2511,8 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh,
                         /*
                          * Since we are only interested in the result message
                          * and will always use password authentication
-                         * as a fallback, errors can be ignored here.
+                         * as a fallback (except for gdm-smartcard),
+                         * errors can be ignored here.
                          */
                     }
                 }
@@ -2512,7 +2521,6 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh,
                     ret = check_login_token_name(pamh, &pi, quiet_mode);
                     if (ret != PAM_SUCCESS) {
                         D(("check_login_token_name failed.\n"));
-                        return ret;
                     }
                 }
 
-- 
2.21.1

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation