Blame SOURCES/0025-pam-add-pam_gssapi_services-option.patch

8ad293
From d63172f1277c5ed166a22f04d144bf85ded4757c Mon Sep 17 00:00:00 2001
8ad293
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
8ad293
Date: Fri, 9 Oct 2020 13:03:54 +0200
8ad293
Subject: [PATCH 25/27] pam: add pam_gssapi_services option
8ad293
8ad293
:config: Added `pam_gssapi_services` to list PAM services
8ad293
  that can authenticate using GSSAPI
8ad293
8ad293
Reviewed-by: Robbie Harwood <rharwood@redhat.com>
8ad293
Reviewed-by: Sumit Bose <sbose@redhat.com>
8ad293
---
8ad293
 src/confdb/confdb.c                  | 12 +++++++++++
8ad293
 src/confdb/confdb.h                  |  4 ++++
8ad293
 src/config/SSSDConfig/sssdoptions.py |  1 +
8ad293
 src/config/SSSDConfigTest.py         |  6 ++++--
8ad293
 src/config/cfg_rules.ini             |  3 +++
8ad293
 src/config/etc/sssd.api.conf         |  2 ++
8ad293
 src/db/sysdb_subdomains.c            | 13 ++++++++++++
8ad293
 src/man/sssd.conf.5.xml              | 30 ++++++++++++++++++++++++++++
8ad293
 src/responder/pam/pamsrv.c           | 21 +++++++++++++++++++
8ad293
 src/responder/pam/pamsrv.h           |  3 +++
8ad293
 10 files changed, 93 insertions(+), 2 deletions(-)
8ad293
8ad293
diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c
8ad293
index f981ddf1e..7f1956d6d 100644
8ad293
--- a/src/confdb/confdb.c
8ad293
+++ b/src/confdb/confdb.c
8ad293
@@ -1581,6 +1581,18 @@ static int confdb_get_domain_internal(struct confdb_ctx *cdb,
8ad293
         }
8ad293
     }
8ad293
 
8ad293
+    tmp = ldb_msg_find_attr_as_string(res->msgs[0], CONFDB_PAM_GSSAPI_SERVICES,
8ad293
+                                      "-");
8ad293
+    if (tmp != NULL) {
8ad293
+        ret = split_on_separator(domain, tmp, ',', true, true,
8ad293
+                                 &domain->gssapi_services, NULL);
8ad293
+        if (ret != 0) {
8ad293
+            DEBUG(SSSDBG_FATAL_FAILURE,
8ad293
+                  "Cannot parse %s\n", CONFDB_PAM_GSSAPI_SERVICES);
8ad293
+            goto done;
8ad293
+        }
8ad293
+    }
8ad293
+
8ad293
     domain->has_views = false;
8ad293
     domain->view_name = NULL;
8ad293
 
8ad293
diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
8ad293
index 54e3f7380..7a3bc8bb5 100644
8ad293
--- a/src/confdb/confdb.h
8ad293
+++ b/src/confdb/confdb.h
8ad293
@@ -144,6 +144,7 @@
8ad293
 #define CONFDB_PAM_P11_ALLOWED_SERVICES "pam_p11_allowed_services"
8ad293
 #define CONFDB_PAM_P11_URI "p11_uri"
8ad293
 #define CONFDB_PAM_INITGROUPS_SCHEME "pam_initgroups_scheme"
8ad293
+#define CONFDB_PAM_GSSAPI_SERVICES "pam_gssapi_services"
8ad293
 
8ad293
 /* SUDO */
8ad293
 #define CONFDB_SUDO_CONF_ENTRY "config/sudo"
8ad293
@@ -431,6 +432,9 @@ struct sss_domain_info {
8ad293
 
8ad293
     /* Keytab used by this domain. */
8ad293
     const char *krb5_keytab;
8ad293
+
8ad293
+    /* List of PAM services that are allowed to authenticate with GSSAPI. */
8ad293
+    char **gssapi_services;
8ad293
 };
8ad293
 
8ad293
 /**
8ad293
diff --git a/src/config/SSSDConfig/sssdoptions.py b/src/config/SSSDConfig/sssdoptions.py
8ad293
index de96db6f4..f59fe8d9f 100644
8ad293
--- a/src/config/SSSDConfig/sssdoptions.py
8ad293
+++ b/src/config/SSSDConfig/sssdoptions.py
8ad293
@@ -104,6 +104,7 @@ class SSSDOptions(object):
8ad293
         'p11_wait_for_card_timeout': _('Additional timeout to wait for a card if requested'),
8ad293
         'p11_uri': _('PKCS#11 URI to restrict the selection of devices for Smartcard authentication'),
8ad293
         'pam_initgroups_scheme' : _('When shall the PAM responder force an initgroups request'),
8ad293
+        'pam_gssapi_services' : _('List of PAM services that are allowed to authenticate with GSSAPI.'),
8ad293
 
8ad293
         # [sudo]
8ad293
         'sudo_timed': _('Whether to evaluate the time-based attributes in sudo rules'),
8ad293
diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py
8ad293
index 323be5ed3..21fffe1b6 100755
8ad293
--- a/src/config/SSSDConfigTest.py
8ad293
+++ b/src/config/SSSDConfigTest.py
8ad293
@@ -653,7 +653,8 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase):
8ad293
             'full_name_format',
8ad293
             're_expression',
8ad293
             'cached_auth_timeout',
8ad293
-            'auto_private_groups']
8ad293
+            'auto_private_groups',
8ad293
+            'pam_gssapi_services']
8ad293
 
8ad293
         self.assertTrue(type(options) == dict,
8ad293
                         "Options should be a dictionary")
8ad293
@@ -1030,7 +1031,8 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase):
8ad293
             'full_name_format',
8ad293
             're_expression',
8ad293
             'cached_auth_timeout',
8ad293
-            'auto_private_groups']
8ad293
+            'auto_private_groups',
8ad293
+            'pam_gssapi_services']
8ad293
 
8ad293
         self.assertTrue(type(options) == dict,
8ad293
                         "Options should be a dictionary")
8ad293
diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
8ad293
index 773afd8bb..c6dfd5648 100644
8ad293
--- a/src/config/cfg_rules.ini
8ad293
+++ b/src/config/cfg_rules.ini
8ad293
@@ -139,6 +139,7 @@ option = pam_p11_allowed_services
8ad293
 option = p11_wait_for_card_timeout
8ad293
 option = p11_uri
8ad293
 option = pam_initgroups_scheme
8ad293
+option = pam_gssapi_services
8ad293
 
8ad293
 [rule/allowed_sudo_options]
8ad293
 validator = ini_allowed_options
8ad293
@@ -437,6 +438,7 @@ option = wildcard_limit
8ad293
 option = full_name_format
8ad293
 option = re_expression
8ad293
 option = auto_private_groups
8ad293
+option = pam_gssapi_services
8ad293
 
8ad293
 #Entry cache timeouts
8ad293
 option = entry_cache_user_timeout
8ad293
@@ -831,6 +833,7 @@ option = ad_backup_server
8ad293
 option = ad_site
8ad293
 option = use_fully_qualified_names
8ad293
 option = auto_private_groups
8ad293
+option = pam_gssapi_services
8ad293
 
8ad293
 [rule/sssd_checks]
8ad293
 validator = sssd_checks
8ad293
diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf
8ad293
index 623160ffd..f46f3c46d 100644
8ad293
--- a/src/config/etc/sssd.api.conf
8ad293
+++ b/src/config/etc/sssd.api.conf
8ad293
@@ -80,6 +80,7 @@ pam_p11_allowed_services = str, None, false
8ad293
 p11_wait_for_card_timeout = int, None, false
8ad293
 p11_uri = str, None, false
8ad293
 pam_initgroups_scheme = str, None, false
8ad293
+pam_gssapi_services = str, None, false
8ad293
 
8ad293
 [sudo]
8ad293
 # sudo service
8ad293
@@ -199,6 +200,7 @@ cached_auth_timeout = int, None, false
8ad293
 full_name_format = str, None, false
8ad293
 re_expression = str, None, false
8ad293
 auto_private_groups = str, None, false
8ad293
+pam_gssapi_services = str, None, false
8ad293
 
8ad293
 #Entry cache timeouts
8ad293
 entry_cache_user_timeout = int, None, false
8ad293
diff --git a/src/db/sysdb_subdomains.c b/src/db/sysdb_subdomains.c
8ad293
index 5b42f9bdc..bfc6df0f5 100644
8ad293
--- a/src/db/sysdb_subdomains.c
8ad293
+++ b/src/db/sysdb_subdomains.c
8ad293
@@ -184,6 +184,8 @@ struct sss_domain_info *new_subdomain(TALLOC_CTX *mem_ctx,
8ad293
     dom->homedir_substr = parent->homedir_substr;
8ad293
     dom->override_gid = parent->override_gid;
8ad293
 
8ad293
+    dom->gssapi_services = parent->gssapi_services;
8ad293
+
8ad293
     if (parent->sysdb == NULL) {
8ad293
         DEBUG(SSSDBG_OP_FAILURE, "Missing sysdb context in parent domain.\n");
8ad293
         goto fail;
8ad293
@@ -241,6 +243,17 @@ check_subdom_config_file(struct confdb_ctx *confdb,
8ad293
           sd_conf_path, CONFDB_DOMAIN_FQ,
8ad293
           subdomain->fqnames ? "TRUE" : "FALSE");
8ad293
 
8ad293
+    /* allow to set pam_gssapi_services */
8ad293
+    ret = confdb_get_string_as_list(confdb, subdomain, sd_conf_path,
8ad293
+                                    CONFDB_PAM_GSSAPI_SERVICES,
8ad293
+                                    &subdomain->gssapi_services);
8ad293
+    if (ret != EOK && ret != ENOENT) {
8ad293
+        DEBUG(SSSDBG_OP_FAILURE,
8ad293
+              "Failed to get %s option for the subdomain: %s\n",
8ad293
+              CONFDB_PAM_GSSAPI_SERVICES, subdomain->name);
8ad293
+        goto done;
8ad293
+    }
8ad293
+
8ad293
     ret = EOK;
8ad293
 done:
8ad293
     talloc_free(tmp_ctx);
8ad293
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
8ad293
index d247400bf..db9dd4677 100644
8ad293
--- a/src/man/sssd.conf.5.xml
8ad293
+++ b/src/man/sssd.conf.5.xml
8ad293
@@ -1706,6 +1706,35 @@ p11_uri = library-description=OpenSC%20smartcard%20framework;slot-id=2
8ad293
                         </para>
8ad293
                     </listitem>
8ad293
                 </varlistentry>
8ad293
+                <varlistentry>
8ad293
+                    <term>pam_gssapi_services</term>
8ad293
+                    <listitem>
8ad293
+                        <para>
8ad293
+                            Comma separated list of PAM services that are
8ad293
+                            allowed to try GSSAPI authentication using
8ad293
+                            pam_sss_gss.so module.
8ad293
+                        </para>
8ad293
+                        <para>
8ad293
+                            To disable GSSAPI authentication, set this option
8ad293
+                            to <quote>-</quote> (dash).
8ad293
+                        </para>
8ad293
+                        <para>
8ad293
+                            Note: This option can also be set per-domain which
8ad293
+                            overwrites the value in [pam] section. It can also
8ad293
+                            be set for trusted domain which overwrites the value
8ad293
+                            in the domain section.
8ad293
+                        </para>
8ad293
+                        <para>
8ad293
+                            Example:
8ad293
+                            <programlisting>
8ad293
+pam_gssapi_services = sudo, sudo-i
8ad293
+                            </programlisting>
8ad293
+                        </para>
8ad293
+                        <para>
8ad293
+                            Default: - (GSSAPI authentication is disabled)
8ad293
+                        </para>
8ad293
+                    </listitem>
8ad293
+                </varlistentry>
8ad293
             </variablelist>
8ad293
         </refsect2>
8ad293
 
8ad293
@@ -3780,6 +3809,7 @@ ldap_user_extra_attrs = phone:telephoneNumber
8ad293
             <para>ad_backup_server,</para>
8ad293
             <para>ad_site,</para>
8ad293
             <para>use_fully_qualified_names</para>
8ad293
+            <para>pam_gssapi_services</para>
8ad293
         <para>
8ad293
             For more details about these options see their individual description
8ad293
             in the manual page.
8ad293
diff --git a/src/responder/pam/pamsrv.c b/src/responder/pam/pamsrv.c
8ad293
index 1f1ee608b..0492569c7 100644
8ad293
--- a/src/responder/pam/pamsrv.c
8ad293
+++ b/src/responder/pam/pamsrv.c
8ad293
@@ -327,6 +327,27 @@ static int pam_process_init(TALLOC_CTX *mem_ctx,
8ad293
         }
8ad293
     }
8ad293
 
8ad293
+    ret = confdb_get_string(pctx->rctx->cdb, pctx, CONFDB_PAM_CONF_ENTRY,
8ad293
+                            CONFDB_PAM_GSSAPI_SERVICES, "-", &tmpstr);
8ad293
+    if (ret != EOK) {
8ad293
+        DEBUG(SSSDBG_FATAL_FAILURE,
8ad293
+              "Failed to determine gssapi services.\n");
8ad293
+        goto done;
8ad293
+    }
8ad293
+    DEBUG(SSSDBG_TRACE_INTERNAL, "Found value [%s] for option [%s].\n", tmpstr,
8ad293
+                                 CONFDB_PAM_GSSAPI_SERVICES);
8ad293
+
8ad293
+    if (tmpstr != NULL) {
8ad293
+        ret = split_on_separator(pctx, tmpstr, ',', true, true,
8ad293
+                                 &pctx->gssapi_services, NULL);
8ad293
+        if (ret != EOK) {
8ad293
+            DEBUG(SSSDBG_MINOR_FAILURE,
8ad293
+                  "split_on_separator() failed [%d]: [%s].\n", ret,
8ad293
+                  sss_strerror(ret));
8ad293
+            goto done;
8ad293
+        }
8ad293
+    }
8ad293
+
8ad293
     /* The responder is initialized. Now tell it to the monitor. */
8ad293
     ret = sss_monitor_service_init(rctx, rctx->ev, SSS_BUS_PAM,
8ad293
                                    SSS_PAM_SBUS_SERVICE_NAME,
8ad293
diff --git a/src/responder/pam/pamsrv.h b/src/responder/pam/pamsrv.h
8ad293
index 24d307a14..730dee288 100644
8ad293
--- a/src/responder/pam/pamsrv.h
8ad293
+++ b/src/responder/pam/pamsrv.h
8ad293
@@ -62,6 +62,9 @@ struct pam_ctx {
8ad293
     int num_prompting_config_sections;
8ad293
 
8ad293
     enum pam_initgroups_scheme initgroups_scheme;
8ad293
+
8ad293
+    /* List of PAM services that are allowed to authenticate with GSSAPI. */
8ad293
+    char **gssapi_services;
8ad293
 };
8ad293
 
8ad293
 struct pam_auth_req {
8ad293
-- 
8ad293
2.21.3
8ad293