Blame SOURCES/0017-ipa_auth-and-krb5_auth-when-providing-wrong-password.patch

836b22
From b1185573e31f08d4d37ae763b5d7e7f0a37e1244 Mon Sep 17 00:00:00 2001
836b22
From: ikerexxe <ipedrosa@redhat.com>
836b22
Date: Tue, 5 May 2020 14:40:09 +0200
836b22
Subject: [PATCH] ipa_auth and krb5_auth: when providing wrong password return
836b22
 PAM_AUTH_ERR
836b22
836b22
When providing a wrong password for an existing IPA user, return PAM_AUTH_ERR (authentication failure) instead of PAM_CRED_ERR (failure setting user credentials). In order to do that it is necessary to translate PAM_CRED_ERR to PAM_AUTH_ERR once the providers are done.
836b22
836b22
Resolves:
836b22
https://github.com/SSSD/sssd/issues/5139
836b22
836b22
Reviewed-by: Sumit Bose <sbose@redhat.com>
836b22
(cherry picked from commit 49b9ca15866f59d6e3c1b572545d1b9e76625892)
836b22
---
836b22
 src/providers/ipa/ipa_auth.c   | 16 ++++++++++++++++
836b22
 src/providers/krb5/krb5_auth.c |  8 ++++++++
836b22
 2 files changed, 24 insertions(+)
836b22
836b22
diff --git a/src/providers/ipa/ipa_auth.c b/src/providers/ipa/ipa_auth.c
836b22
index 1bd017721..2858eb4f5 100644
836b22
--- a/src/providers/ipa/ipa_auth.c
836b22
+++ b/src/providers/ipa/ipa_auth.c
836b22
@@ -271,6 +271,14 @@ static void ipa_pam_auth_handler_krb5_done(struct tevent_req *subreq)
836b22
         return;
836b22
     }
836b22
 
836b22
+    /* PAM_CRED_ERR is used to indicate to the IPA provider that trying
836b22
+     * password migration would make sense. From this point on it isn't
836b22
+     * necessary to keep this status, so it can be translated to PAM_AUTH_ERR.
836b22
+     */
836b22
+    if (state->pd->pam_status == PAM_CRED_ERR) {
836b22
+        state->pd->pam_status = PAM_AUTH_ERR;
836b22
+    }
836b22
+
836b22
 done:
836b22
     /* TODO For backward compatibility we always return EOK to DP now. */
836b22
     tevent_req_done(req);
836b22
@@ -312,6 +320,14 @@ static void ipa_pam_auth_handler_flag_done(struct tevent_req *subreq)
836b22
         return;
836b22
     }
836b22
 
836b22
+    /* PAM_CRED_ERR is used to indicate to the IPA provider that trying
836b22
+     * password migration would make sense. From this point on it isn't
836b22
+     * necessary to keep this status, so it can be translated to PAM_AUTH_ERR.
836b22
+     */
836b22
+    if (state->pd->pam_status == PAM_CRED_ERR) {
836b22
+        state->pd->pam_status = PAM_AUTH_ERR;
836b22
+    }
836b22
+
836b22
 done:
836b22
     /* TODO For backward compatibility we always return EOK to DP now. */
836b22
     tevent_req_done(req);
836b22
diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c
836b22
index 9a9250434..6ab39547f 100644
836b22
--- a/src/providers/krb5/krb5_auth.c
836b22
+++ b/src/providers/krb5/krb5_auth.c
836b22
@@ -1293,6 +1293,14 @@ static void krb5_pam_handler_auth_done(struct tevent_req *subreq)
836b22
         state->pd->pam_status = PAM_SYSTEM_ERR;
836b22
     }
836b22
 
836b22
+    /* PAM_CRED_ERR is used to indicate to the IPA provider that trying
836b22
+     * password migration would make sense. From this point on it isn't
836b22
+     * necessary to keep this status, so it can be translated to PAM_AUTH_ERR.
836b22
+     */
836b22
+    if (state->pd->pam_status == PAM_CRED_ERR) {
836b22
+        state->pd->pam_status = PAM_AUTH_ERR;
836b22
+    }
836b22
+
836b22
     /* TODO For backward compatibility we always return EOK to DP now. */
836b22
     tevent_req_done(req);
836b22
 }
836b22
-- 
836b22
2.21.1
836b22