rpms / sssd

Clone
Source Code
GIT

Blame SOURCES/0017-ipa_auth-and-krb5_auth-when-providing-wrong-password.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8 c8-beta c8s c9 c9-beta
  1.   836b2236d1ecde1c135500aaac52f5f73d49e41d
  2.   SOURCES
  3.   0017-ipa_auth-and-krb5_auth-when-providing-wrong-password.patch
Blob History Raw
836b22 
From b1185573e31f08d4d37ae763b5d7e7f0a37e1244 Mon Sep 17 00:00:00 2001
836b22 
From: ikerexxe <ipedrosa@redhat.com>
836b22 
Date: Tue, 5 May 2020 14:40:09 +0200
836b22 
Subject: [PATCH] ipa_auth and krb5_auth: when providing wrong password return
836b22 
 PAM_AUTH_ERR
836b22
836b22 
When providing a wrong password for an existing IPA user, return PAM_AUTH_ERR (authentication failure) instead of PAM_CRED_ERR (failure setting user credentials). In order to do that it is necessary to translate PAM_CRED_ERR to PAM_AUTH_ERR once the providers are done.
836b22
836b22 
Resolves:
836b22 
https://github.com/SSSD/sssd/issues/5139
836b22
836b22 
Reviewed-by: Sumit Bose <sbose@redhat.com>
836b22 
(cherry picked from commit 49b9ca15866f59d6e3c1b572545d1b9e76625892)
836b22 
---
836b22 
 src/providers/ipa/ipa_auth.c   | 16 ++++++++++++++++
836b22 
 src/providers/krb5/krb5_auth.c |  8 ++++++++
836b22 
 2 files changed, 24 insertions(+)
836b22
836b22 
diff --git a/src/providers/ipa/ipa_auth.c b/src/providers/ipa/ipa_auth.c
836b22 
index 1bd017721..2858eb4f5 100644
836b22 
--- a/src/providers/ipa/ipa_auth.c
836b22 
+++ b/src/providers/ipa/ipa_auth.c
836b22 
@@ -271,6 +271,14 @@ static void ipa_pam_auth_handler_krb5_done(struct tevent_req *subreq)
836b22 
         return;
836b22 
     }
836b22
836b22 
+    /* PAM_CRED_ERR is used to indicate to the IPA provider that trying
836b22 
+     * password migration would make sense. From this point on it isn't
836b22 
+     * necessary to keep this status, so it can be translated to PAM_AUTH_ERR.
836b22 
+     */
836b22 
+    if (state->pd->pam_status == PAM_CRED_ERR) {
836b22 
+        state->pd->pam_status = PAM_AUTH_ERR;
836b22 
+    }
836b22 
+
836b22 
 done:
836b22 
     /* TODO For backward compatibility we always return EOK to DP now. */
836b22 
     tevent_req_done(req);
836b22 
@@ -312,6 +320,14 @@ static void ipa_pam_auth_handler_flag_done(struct tevent_req *subreq)
836b22 
         return;
836b22 
     }
836b22
836b22 
+    /* PAM_CRED_ERR is used to indicate to the IPA provider that trying
836b22 
+     * password migration would make sense. From this point on it isn't
836b22 
+     * necessary to keep this status, so it can be translated to PAM_AUTH_ERR.
836b22 
+     */
836b22 
+    if (state->pd->pam_status == PAM_CRED_ERR) {
836b22 
+        state->pd->pam_status = PAM_AUTH_ERR;
836b22 
+    }
836b22 
+
836b22 
 done:
836b22 
     /* TODO For backward compatibility we always return EOK to DP now. */
836b22 
     tevent_req_done(req);
836b22 
diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c
836b22 
index 9a9250434..6ab39547f 100644
836b22 
--- a/src/providers/krb5/krb5_auth.c
836b22 
+++ b/src/providers/krb5/krb5_auth.c
836b22 
@@ -1293,6 +1293,14 @@ static void krb5_pam_handler_auth_done(struct tevent_req *subreq)
836b22 
         state->pd->pam_status = PAM_SYSTEM_ERR;
836b22 
     }
836b22
836b22 
+    /* PAM_CRED_ERR is used to indicate to the IPA provider that trying
836b22 
+     * password migration would make sense. From this point on it isn't
836b22 
+     * necessary to keep this status, so it can be translated to PAM_AUTH_ERR.
836b22 
+     */
836b22 
+    if (state->pd->pam_status == PAM_CRED_ERR) {
836b22 
+        state->pd->pam_status = PAM_AUTH_ERR;
836b22 
+    }
836b22 
+
836b22 
     /* TODO For backward compatibility we always return EOK to DP now. */
836b22 
     tevent_req_done(req);
836b22 
 }
836b22 
--
836b22 
2.21.1
836b22

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation