|
 |
836b22 |
From 895aa34af41cc76aaac78c3cb74c68eeeb31a1d9 Mon Sep 17 00:00:00 2001
|
|
|
836b22 |
From: Sumit Bose <sbose@redhat.com>
|
|
|
836b22 |
Date: Fri, 15 May 2020 10:43:46 +0200
|
|
|
836b22 |
Subject: [PATCH] krb5: do not cache ccache or password during preauth
|
|
|
836b22 |
|
|
|
836b22 |
The PAM preauth step is mainly used to determine which authentication
|
|
|
836b22 |
methods (single factor, two factor, Smartcard) are available for the
|
|
|
836b22 |
user. It does not make sense to try to store the password hash or the
|
|
|
836b22 |
credential cache at this step because this information is not available
|
|
|
836b22 |
or not accurate at this step.
|
|
|
836b22 |
|
|
|
836b22 |
It might even cause issue is the credential cache name contains a random
|
|
|
836b22 |
component. This is typically used for file based credential caches
|
|
|
836b22 |
stored in the /tmp directory to avoid attacks to pre-create the file
|
|
|
836b22 |
since the name is known. Since the credential cache name still contains
|
|
|
836b22 |
the template for the random component 'XXXXXX' updating the credential
|
|
|
836b22 |
cache name in the cache during preauth destroys the information about
|
|
|
836b22 |
the currently used credential cache and upcoming authentications will
|
|
|
836b22 |
create a new one.
|
|
|
836b22 |
|
|
|
836b22 |
This causes issues with screen-savers or screen-lock where every
|
|
|
836b22 |
unlocking creates a new credential cache file and not updates the
|
|
|
836b22 |
existing one as it is expected. Another case is if a user logs in
|
|
|
836b22 |
multiple times to the same host, e.g. with ssh. Here it is expected as
|
|
|
836b22 |
well that the first session will create a new credential cache file
|
|
|
836b22 |
while all additional sessions will reuse it and only update the TGT in
|
|
|
836b22 |
the existing credential.
|
|
|
836b22 |
|
|
|
836b22 |
Resolves: https://github.com/SSSD/sssd/issues/5160
|
|
|
836b22 |
|
|
|
836b22 |
Reviewed-by: Alexey Tikhonov <atikhonov@redhat.com>
|
|
|
836b22 |
(cherry picked from commit 11435b1060675339263ce0a2a546cc44ab9bd576)
|
|
|
836b22 |
---
|
|
|
836b22 |
src/providers/krb5/krb5_auth.c | 7 +++++++
|
|
|
836b22 |
1 file changed, 7 insertions(+)
|
|
|
836b22 |
|
|
|
836b22 |
diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c
|
|
|
836b22 |
index 6ab39547f..b83e59092 100644
|
|
|
836b22 |
--- a/src/providers/krb5/krb5_auth.c
|
|
|
836b22 |
+++ b/src/providers/krb5/krb5_auth.c
|
|
|
836b22 |
@@ -1089,6 +1089,13 @@ static void krb5_auth_done(struct tevent_req *subreq)
|
|
|
836b22 |
kr->srv, PORT_WORKING);
|
|
|
836b22 |
}
|
|
|
836b22 |
|
|
|
836b22 |
+ if (pd->cmd == SSS_PAM_PREAUTH) {
|
|
|
836b22 |
+ state->pam_status = PAM_SUCCESS;
|
|
|
836b22 |
+ state->dp_err = DP_ERR_OK;
|
|
|
836b22 |
+ ret = EOK;
|
|
|
836b22 |
+ goto done;
|
|
|
836b22 |
+ }
|
|
|
836b22 |
+
|
|
|
836b22 |
/* Now only a successful authentication or password change is left.
|
|
|
836b22 |
*
|
|
|
836b22 |
* We expect that one of the messages in the received buffer contains
|
|
|
836b22 |
--
|
|
|
836b22 |
2.21.1
|
|
|
836b22 |
|