rpms / authselect

Clone
Source Code
GIT

Blame SOURCES/0018-sssd-add-with-smartcard-required-feature.patch

c8 c8-beta c8s c9 c9-beta
  1.   1756dcfa6414e43b9fe5d33f90f41d18fbba20a7
  2.   SOURCES
  3.   0018-sssd-add-with-smartcard-required-feature.patch
Blob History Raw
1756dc 
From 396089c2acc76bef59040d22c4170673ac4009bf Mon Sep 17 00:00:00 2001
1756dc 
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
1756dc 
Date: Mon, 8 Oct 2018 12:58:41 +0200
1756dc 
Subject: [PATCH 2/2] sssd: add with-smartcard-required feature
1756dc
1756dc 
Resolves:
1756dc 
https://github.com/pbrezina/authselect/issues/104
1756dc 
---
1756dc 
 profiles/sssd/README           | 6 ++++++
1756dc 
 profiles/sssd/dconf-db         | 1 +
1756dc 
 profiles/sssd/fingerprint-auth | 1 +
1756dc 
 profiles/sssd/password-auth    | 1 +
1756dc 
 profiles/sssd/system-auth      | 1 +
1756dc 
 5 files changed, 10 insertions(+)
1756dc
1756dc 
diff --git a/profiles/sssd/README b/profiles/sssd/README
1756dc 
index c597afecff112e8af7905de9b6a8db77d5c3227c..acbb635729c2b4a69a91cafe4bec76b030967967 100644
1756dc 
--- a/profiles/sssd/README
1756dc 
+++ b/profiles/sssd/README
1756dc 
@@ -53,6 +53,12 @@ with-smartcard::
1756dc
1756dc 
 with-smartcard-lock-on-removal::
1756dc 
     Lock screen when a smartcard is removed.
1756dc 
+    Note: "with-smartcard" must be set as well.
1756dc 
+
1756dc 
+with-smartcard-required::
1756dc 
+    Smartcard authentication is required. No other means of authentication
1756dc 
+    (including password) will be enabled.
1756dc 
+    Note: "with-smartcard" must be set as well.
1756dc
1756dc 
 with-fingerprint::
1756dc 
     Enable authentication with fingerprint reader through *pam_fprintd*.
1756dc 
diff --git a/profiles/sssd/dconf-db b/profiles/sssd/dconf-db
1756dc 
index cf22698fcc8a292c1bf68466f943595ca54c7b27..b24f783eb700713386d66857de2532482d15ce7c 100644
1756dc 
--- a/profiles/sssd/dconf-db
1756dc 
+++ b/profiles/sssd/dconf-db
1756dc 
@@ -1,6 +1,7 @@
1756dc 
 [org/gnome/login-screen]
1756dc 
 enable-smartcard-authentication={if "with-smartcard":true|false}
1756dc 
 enable-fingerprint-authentication={if "with-fingerprint":true|false}
1756dc 
+enable-password-authentication={if "with-smartcard-required":false|true}
1756dc
1756dc 
 [org/gnome/settings-daemon/peripherals/smartcard] {include if "with-smartcard-lock-on-removal"}
1756dc 
 removal-action='lock-screen'                      {include if "with-smartcard-lock-on-removal"}
1756dc 
diff --git a/profiles/sssd/fingerprint-auth b/profiles/sssd/fingerprint-auth
1756dc 
index 01a5d21748f8e84acde23a0926782cf817fefc79..01b70f3533149d00700859f3e0a1c3f2abb33a8a 100644
1756dc 
--- a/profiles/sssd/fingerprint-auth
1756dc 
+++ b/profiles/sssd/fingerprint-auth
1756dc 
@@ -1,5 +1,6 @@
1756dc 
 {continue if "with-fingerprint"}
1756dc 
 auth        required                                     pam_env.so
1756dc 
+auth        required                                     pam_deny.so # Smartcard authentication is required     {include if "with-smartcard-required"}
1756dc 
 auth        required                                     pam_faillock.so preauth silent deny=4 unlock_time=1200 {include if "with-faillock"}
1756dc 
 auth        sufficient                                   pam_fprintd.so
1756dc 
 auth        required                                     pam_faillock.so authfail deny=4 unlock_time=1200       {include if "with-faillock"}
1756dc 
diff --git a/profiles/sssd/password-auth b/profiles/sssd/password-auth
1756dc 
index e35c8d6943b8289d8b65d7a47b2dad8143b6132b..3205f261dd8c898baf292c252ebdb346fcb779bb 100644
1756dc 
--- a/profiles/sssd/password-auth
1756dc 
+++ b/profiles/sssd/password-auth
1756dc 
@@ -1,5 +1,6 @@
1756dc 
 auth        required                                     pam_env.so
1756dc 
 auth        required                                     pam_faildelay.so delay=2000000
1756dc 
+auth        required                                     pam_deny.so # Smartcard authentication is required     {include if "with-smartcard-required"}
1756dc 
 auth        required                                     pam_faillock.so preauth silent deny=4 unlock_time=1200 {include if "with-faillock"}
1756dc 
 auth        [default=1 ignore=ignore success=ok]         pam_succeed_if.so uid >= 1000 quiet
1756dc 
 auth        [default=1 ignore=ignore success=ok]         pam_localuser.so
1756dc 
diff --git a/profiles/sssd/system-auth b/profiles/sssd/system-auth
1756dc 
index a3d351cd5c37fb065892a0b71ec5323fd13a957d..982cada1f774e6d53dd75c9f5dbc0603337cd70b 100644
1756dc 
--- a/profiles/sssd/system-auth
1756dc 
+++ b/profiles/sssd/system-auth
1756dc 
@@ -1,6 +1,7 @@
1756dc 
 auth        required                                     pam_env.so
1756dc 
 auth        required                                     pam_faildelay.so delay=2000000
1756dc 
 auth        required                                     pam_faillock.so preauth silent deny=4 unlock_time=1200 {include if "with-faillock"}
1756dc 
+auth        [success=done ignore=ignore default=die]     pam_sss.so require_cert_auth ignore_authinfo_unavail   {include if "with-smartcard-required"}
1756dc 
 auth        sufficient                                   pam_fprintd.so                                         {include if "with-fingerprint"}
1756dc 
 auth        [default=1 ignore=ignore success=ok]         pam_succeed_if.so uid >= 1000 quiet
1756dc 
 auth        [default=1 ignore=ignore success=ok]         pam_localuser.so                                       {exclude if "with-smartcard"}
1756dc 
--
1756dc 
2.17.1
1756dc

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation