Tree - rpms/sssd - CentOS Git server

rpms / sssd

Blame SOURCES/0022-pam_sss-special-handling-for-gdm-smartcard.patch

Blob History Raw

		8aada9	`From 3ed254765fc92e9cc9e4c35335818eaf1256e0d6 Mon Sep 17 00:00:00 2001`
		8aada9	`From: Sumit Bose <sbose@redhat.com>`
		8aada9	`Date: Wed, 3 Jun 2020 20:36:54 +0200`
		8aada9	`Subject: [PATCH 22/22] pam_sss: special handling for gdm-smartcard`
		8aada9
		8aada9	`The gdm-smartcard service is special since it is triggered by the`
		8aada9	`presence of a Smartcard and even in the case of an error it will`
		8aada9	`immediately try again. To break this loop we should ask for an user`
		8aada9	`input and asking for a PIN is most straight forward and would show the`
		8aada9	`same behavior as pam_pkcs11.`
		8aada9
		8aada9	`Additionally it does not make sense to fall back the a password prompt`
		8aada9	`for gdm-smartcard so also here a PIN prompt should be shown.`
		8aada9
		8aada9	`Resolves: https://github.com/SSSD/sssd/issues/5190`
		8aada9
		8aada9	`Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>`
		8aada9	`---`
		8aada9	`src/sss_client/pam_sss.c \| 16 ++++++++++++----`
		8aada9	`1 file changed, 12 insertions(+), 4 deletions(-)`
		8aada9
		8aada9	`diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c`
		8aada9	`index 7e59f0487..093e53af5 100644`
		8aada9	`--- a/src/sss_client/pam_sss.c`
		8aada9	`+++ b/src/sss_client/pam_sss.c`
		8aada9	`@@ -1835,8 +1835,13 @@ static int prompt_sc_pin(pam_handle_t pamh, struct pam_items pi)`
		8aada9	`struct pam_message m[2] = { { 0 }, { 0 } };`
		8aada9	`struct pam_response *resp = NULL;`
		8aada9	`struct cert_auth_info *cai = pi->selected_cert;`
		8aada9	`+ struct cert_auth_info empty_cai = { NULL, NULL, discard_const("Smartcard"),`
		8aada9	`+ NULL, NULL, NULL, NULL, NULL };`
		8aada9
		8aada9	`- if (cai == NULL \|\| cai->token_name == NULL \|\| *cai->token_name == '\0') {`
		8aada9	`+ if (cai == NULL && SERVICE_IS_GDM_SMARTCARD(pi)) {`
		8aada9	`+ cai = &empty_cai;`
		8aada9	`+ } else if (cai == NULL \|\| cai->token_name == NULL`
		8aada9	`+ \|\| *cai->token_name == '\0') {`
		8aada9	`return PAM_SYSTEM_ERR;`
		8aada9	`}`
		8aada9
		8aada9	`@@ -2188,6 +2193,9 @@ static int get_authtok_for_authentication(pam_handle_t *pamh,`
		8aada9	`}`
		8aada9	`}`
		8aada9	`ret = prompt_sc_pin(pamh, pi);`
		8aada9	`+ } else if (SERVICE_IS_GDM_SMARTCARD(pi)) {`
		8aada9	`+ /* Use pin prompt as fallback for gdm-smartcard */`
		8aada9	`+ ret = prompt_sc_pin(pamh, pi);`
		8aada9	`} else {`
		8aada9	`ret = prompt_password(pamh, pi, _("Password: "));`
		8aada9	`}`
		8aada9	`@@ -2496,7 +2504,7 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh,`
		8aada9	`{`
		8aada9	`int ret;`
		8aada9	`int pam_status;`
		8aada9	`- struct pam_items pi;`
		8aada9	`+ struct pam_items pi = { 0 };`
		8aada9	`uint32_t flags = 0;`
		8aada9	`const int *exp_data;`
		8aada9	`int *pw_exp_data;`
		8aada9	`@@ -2570,7 +2578,8 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh,`
		8aada9	`/*`
		8aada9	`* Since we are only interested in the result message`
		8aada9	`* and will always use password authentication`
		8aada9	`- * as a fallback, errors can be ignored here.`
		8aada9	`+ * as a fallback (except for gdm-smartcard),`
		8aada9	`+ * errors can be ignored here.`
		8aada9	`*/`
		8aada9	`}`
		8aada9	`}`
		8aada9	`@@ -2588,7 +2597,6 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh,`
		8aada9	`quiet_mode);`
		8aada9	`if (ret != PAM_SUCCESS) {`
		8aada9	`D(("check_login_token_name failed.\n"));`
		8aada9	`- return ret;`
		8aada9	`}`
		8aada9	`}`
		8aada9
		8aada9	`--`
		8aada9	`2.21.3`
		8aada9

rpms / sssd

Source Code

Blame SOURCES/0022-pam_sss-special-handling-for-gdm-smartcard.patch