|
 |
bac598 |
From fffe3169bb490c4b010b168c639aa6f9b2ec0c52 Mon Sep 17 00:00:00 2001
|
|
|
bac598 |
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
|
|
bac598 |
Date: Thu, 10 Dec 2020 22:05:30 +0100
|
|
|
bac598 |
Subject: [PATCH 26/27] pam: add pam_gssapi_check_upn option
|
|
|
bac598 |
|
|
|
bac598 |
:config: Added `pam_gssapi_check_upn` to enforce authentication
|
|
|
bac598 |
only with principal that can be associated with target user.
|
|
|
bac598 |
|
|
|
bac598 |
Reviewed-by: Robbie Harwood <rharwood@redhat.com>
|
|
|
bac598 |
Reviewed-by: Sumit Bose <sbose@redhat.com>
|
|
|
bac598 |
---
|
|
|
bac598 |
src/confdb/confdb.c | 10 ++++++++++
|
|
|
bac598 |
src/confdb/confdb.h | 2 ++
|
|
|
bac598 |
src/config/SSSDConfig/sssdoptions.py | 1 +
|
|
|
bac598 |
src/config/SSSDConfigTest.py | 6 ++++--
|
|
|
bac598 |
src/config/cfg_rules.ini | 3 +++
|
|
|
bac598 |
src/config/etc/sssd.api.conf | 2 ++
|
|
|
bac598 |
src/db/sysdb_subdomains.c | 12 ++++++++++++
|
|
|
bac598 |
src/man/sssd.conf.5.xml | 26 ++++++++++++++++++++++++++
|
|
|
bac598 |
src/responder/pam/pamsrv.c | 9 +++++++++
|
|
|
bac598 |
src/responder/pam/pamsrv.h | 1 +
|
|
|
bac598 |
10 files changed, 70 insertions(+), 2 deletions(-)
|
|
|
bac598 |
|
|
|
bac598 |
diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c
|
|
|
bac598 |
index 7f1956d6d..2881ce5da 100644
|
|
|
bac598 |
--- a/src/confdb/confdb.c
|
|
|
bac598 |
+++ b/src/confdb/confdb.c
|
|
|
bac598 |
@@ -1593,6 +1593,16 @@ static int confdb_get_domain_internal(struct confdb_ctx *cdb,
|
|
|
bac598 |
}
|
|
|
bac598 |
}
|
|
|
bac598 |
|
|
|
bac598 |
+ tmp = ldb_msg_find_attr_as_string(res->msgs[0], CONFDB_PAM_GSSAPI_CHECK_UPN,
|
|
|
bac598 |
+ NULL);
|
|
|
bac598 |
+ if (tmp != NULL) {
|
|
|
bac598 |
+ domain->gssapi_check_upn = talloc_strdup(domain, tmp);
|
|
|
bac598 |
+ if (domain->gssapi_check_upn == NULL) {
|
|
|
bac598 |
+ ret = ENOMEM;
|
|
|
bac598 |
+ goto done;
|
|
|
bac598 |
+ }
|
|
|
bac598 |
+ }
|
|
|
bac598 |
+
|
|
|
bac598 |
domain->has_views = false;
|
|
|
bac598 |
domain->view_name = NULL;
|
|
|
bac598 |
|
|
|
bac598 |
diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
|
|
|
bac598 |
index 7a3bc8bb5..036f9ecad 100644
|
|
|
bac598 |
--- a/src/confdb/confdb.h
|
|
|
bac598 |
+++ b/src/confdb/confdb.h
|
|
|
bac598 |
@@ -145,6 +145,7 @@
|
|
|
bac598 |
#define CONFDB_PAM_P11_URI "p11_uri"
|
|
|
bac598 |
#define CONFDB_PAM_INITGROUPS_SCHEME "pam_initgroups_scheme"
|
|
|
bac598 |
#define CONFDB_PAM_GSSAPI_SERVICES "pam_gssapi_services"
|
|
|
bac598 |
+#define CONFDB_PAM_GSSAPI_CHECK_UPN "pam_gssapi_check_upn"
|
|
|
bac598 |
|
|
|
bac598 |
/* SUDO */
|
|
|
bac598 |
#define CONFDB_SUDO_CONF_ENTRY "config/sudo"
|
|
|
bac598 |
@@ -435,6 +436,7 @@ struct sss_domain_info {
|
|
|
bac598 |
|
|
|
bac598 |
/* List of PAM services that are allowed to authenticate with GSSAPI. */
|
|
|
bac598 |
char **gssapi_services;
|
|
|
bac598 |
+ char *gssapi_check_upn; /* true | false | NULL */
|
|
|
bac598 |
};
|
|
|
bac598 |
|
|
|
bac598 |
/**
|
|
|
bac598 |
diff --git a/src/config/SSSDConfig/sssdoptions.py b/src/config/SSSDConfig/sssdoptions.py
|
|
|
bac598 |
index f59fe8d9f..5da52a937 100644
|
|
|
bac598 |
--- a/src/config/SSSDConfig/sssdoptions.py
|
|
|
bac598 |
+++ b/src/config/SSSDConfig/sssdoptions.py
|
|
|
bac598 |
@@ -105,6 +105,7 @@ class SSSDOptions(object):
|
|
|
bac598 |
'p11_uri': _('PKCS#11 URI to restrict the selection of devices for Smartcard authentication'),
|
|
|
bac598 |
'pam_initgroups_scheme' : _('When shall the PAM responder force an initgroups request'),
|
|
|
bac598 |
'pam_gssapi_services' : _('List of PAM services that are allowed to authenticate with GSSAPI.'),
|
|
|
bac598 |
+ 'pam_gssapi_check_upn' : _('Whether to match authenticated UPN with target user'),
|
|
|
bac598 |
|
|
|
bac598 |
# [sudo]
|
|
|
bac598 |
'sudo_timed': _('Whether to evaluate the time-based attributes in sudo rules'),
|
|
|
bac598 |
diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py
|
|
|
bac598 |
index 21fffe1b6..ea4e4f6c9 100755
|
|
|
bac598 |
--- a/src/config/SSSDConfigTest.py
|
|
|
bac598 |
+++ b/src/config/SSSDConfigTest.py
|
|
|
bac598 |
@@ -654,7 +654,8 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase):
|
|
|
bac598 |
're_expression',
|
|
|
bac598 |
'cached_auth_timeout',
|
|
|
bac598 |
'auto_private_groups',
|
|
|
bac598 |
- 'pam_gssapi_services']
|
|
|
bac598 |
+ 'pam_gssapi_services',
|
|
|
bac598 |
+ 'pam_gssapi_check_upn']
|
|
|
bac598 |
|
|
|
bac598 |
self.assertTrue(type(options) == dict,
|
|
|
bac598 |
"Options should be a dictionary")
|
|
|
bac598 |
@@ -1032,7 +1033,8 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase):
|
|
|
bac598 |
're_expression',
|
|
|
bac598 |
'cached_auth_timeout',
|
|
|
bac598 |
'auto_private_groups',
|
|
|
bac598 |
- 'pam_gssapi_services']
|
|
|
bac598 |
+ 'pam_gssapi_services',
|
|
|
bac598 |
+ 'pam_gssapi_check_upn']
|
|
|
bac598 |
|
|
|
bac598 |
self.assertTrue(type(options) == dict,
|
|
|
bac598 |
"Options should be a dictionary")
|
|
|
bac598 |
diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
|
|
|
bac598 |
index c6dfd5648..6642c6321 100644
|
|
|
bac598 |
--- a/src/config/cfg_rules.ini
|
|
|
bac598 |
+++ b/src/config/cfg_rules.ini
|
|
|
bac598 |
@@ -140,6 +140,7 @@ option = p11_wait_for_card_timeout
|
|
|
bac598 |
option = p11_uri
|
|
|
bac598 |
option = pam_initgroups_scheme
|
|
|
bac598 |
option = pam_gssapi_services
|
|
|
bac598 |
+option = pam_gssapi_check_upn
|
|
|
bac598 |
|
|
|
bac598 |
[rule/allowed_sudo_options]
|
|
|
bac598 |
validator = ini_allowed_options
|
|
|
bac598 |
@@ -439,6 +440,7 @@ option = full_name_format
|
|
|
bac598 |
option = re_expression
|
|
|
bac598 |
option = auto_private_groups
|
|
|
bac598 |
option = pam_gssapi_services
|
|
|
bac598 |
+option = pam_gssapi_check_upn
|
|
|
bac598 |
|
|
|
bac598 |
#Entry cache timeouts
|
|
|
bac598 |
option = entry_cache_user_timeout
|
|
|
bac598 |
@@ -834,6 +836,7 @@ option = ad_site
|
|
|
bac598 |
option = use_fully_qualified_names
|
|
|
bac598 |
option = auto_private_groups
|
|
|
bac598 |
option = pam_gssapi_services
|
|
|
bac598 |
+option = pam_gssapi_check_upn
|
|
|
bac598 |
|
|
|
bac598 |
[rule/sssd_checks]
|
|
|
bac598 |
validator = sssd_checks
|
|
|
bac598 |
diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf
|
|
|
bac598 |
index f46f3c46d..d3cad7380 100644
|
|
|
bac598 |
--- a/src/config/etc/sssd.api.conf
|
|
|
bac598 |
+++ b/src/config/etc/sssd.api.conf
|
|
|
bac598 |
@@ -81,6 +81,7 @@ p11_wait_for_card_timeout = int, None, false
|
|
|
bac598 |
p11_uri = str, None, false
|
|
|
bac598 |
pam_initgroups_scheme = str, None, false
|
|
|
bac598 |
pam_gssapi_services = str, None, false
|
|
|
bac598 |
+pam_gssapi_check_upn = bool, None, false
|
|
|
bac598 |
|
|
|
bac598 |
[sudo]
|
|
|
bac598 |
# sudo service
|
|
|
bac598 |
@@ -201,6 +202,7 @@ full_name_format = str, None, false
|
|
|
bac598 |
re_expression = str, None, false
|
|
|
bac598 |
auto_private_groups = str, None, false
|
|
|
bac598 |
pam_gssapi_services = str, None, false
|
|
|
bac598 |
+pam_gssapi_check_upn = bool, None, false
|
|
|
bac598 |
|
|
|
bac598 |
#Entry cache timeouts
|
|
|
bac598 |
entry_cache_user_timeout = int, None, false
|
|
|
bac598 |
diff --git a/src/db/sysdb_subdomains.c b/src/db/sysdb_subdomains.c
|
|
|
bac598 |
index bfc6df0f5..03ba12164 100644
|
|
|
bac598 |
--- a/src/db/sysdb_subdomains.c
|
|
|
bac598 |
+++ b/src/db/sysdb_subdomains.c
|
|
|
bac598 |
@@ -254,6 +254,18 @@ check_subdom_config_file(struct confdb_ctx *confdb,
|
|
|
bac598 |
goto done;
|
|
|
bac598 |
}
|
|
|
bac598 |
|
|
|
bac598 |
+ /* allow to set pam_gssapi_check_upn */
|
|
|
bac598 |
+ ret = confdb_get_string(confdb, subdomain, sd_conf_path,
|
|
|
bac598 |
+ CONFDB_PAM_GSSAPI_CHECK_UPN,
|
|
|
bac598 |
+ subdomain->parent->gssapi_check_upn,
|
|
|
bac598 |
+ &subdomain->gssapi_check_upn);
|
|
|
bac598 |
+ if (ret != EOK) {
|
|
|
bac598 |
+ DEBUG(SSSDBG_OP_FAILURE,
|
|
|
bac598 |
+ "Failed to get %s option for the subdomain: %s\n",
|
|
|
bac598 |
+ CONFDB_PAM_GSSAPI_CHECK_UPN, subdomain->name);
|
|
|
bac598 |
+ goto done;
|
|
|
bac598 |
+ }
|
|
|
bac598 |
+
|
|
|
bac598 |
ret = EOK;
|
|
|
bac598 |
done:
|
|
|
bac598 |
talloc_free(tmp_ctx);
|
|
|
bac598 |
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
|
|
|
bac598 |
index db9dd4677..d637e2eaa 100644
|
|
|
bac598 |
--- a/src/man/sssd.conf.5.xml
|
|
|
bac598 |
+++ b/src/man/sssd.conf.5.xml
|
|
|
bac598 |
@@ -1735,6 +1735,31 @@ pam_gssapi_services = sudo, sudo-i
|
|
|
bac598 |
</para>
|
|
|
bac598 |
</listitem>
|
|
|
bac598 |
</varlistentry>
|
|
|
bac598 |
+ <varlistentry>
|
|
|
bac598 |
+ <term>pam_gssapi_check_upn</term>
|
|
|
bac598 |
+ <listitem>
|
|
|
bac598 |
+ <para>
|
|
|
bac598 |
+ If True, SSSD will require that the Kerberos user
|
|
|
bac598 |
+ principal that successfully authenticated through
|
|
|
bac598 |
+ GSSAPI can be associated with the user who is being
|
|
|
bac598 |
+ authenticated. Authentication will fail if the check
|
|
|
bac598 |
+ fails.
|
|
|
bac598 |
+ </para>
|
|
|
bac598 |
+ <para>
|
|
|
bac598 |
+ If False, every user that is able to obtained
|
|
|
bac598 |
+ required service ticket will be authenticated.
|
|
|
bac598 |
+ </para>
|
|
|
bac598 |
+ <para>
|
|
|
bac598 |
+ Note: This option can also be set per-domain which
|
|
|
bac598 |
+ overwrites the value in [pam] section. It can also
|
|
|
bac598 |
+ be set for trusted domain which overwrites the value
|
|
|
bac598 |
+ in the domain section.
|
|
|
bac598 |
+ </para>
|
|
|
bac598 |
+ <para>
|
|
|
bac598 |
+ Default: True
|
|
|
bac598 |
+ </para>
|
|
|
bac598 |
+ </listitem>
|
|
|
bac598 |
+ </varlistentry>
|
|
|
bac598 |
</variablelist>
|
|
|
bac598 |
</refsect2>
|
|
|
bac598 |
|
|
|
bac598 |
@@ -3810,6 +3835,7 @@ ldap_user_extra_attrs = phone:telephoneNumber
|
|
|
bac598 |
<para>ad_site,</para>
|
|
|
bac598 |
<para>use_fully_qualified_names</para>
|
|
|
bac598 |
<para>pam_gssapi_services</para>
|
|
|
bac598 |
+ <para>pam_gssapi_check_upn</para>
|
|
|
bac598 |
<para>
|
|
|
bac598 |
For more details about these options see their individual description
|
|
|
bac598 |
in the manual page.
|
|
|
bac598 |
diff --git a/src/responder/pam/pamsrv.c b/src/responder/pam/pamsrv.c
|
|
|
bac598 |
index 0492569c7..0db2824ff 100644
|
|
|
bac598 |
--- a/src/responder/pam/pamsrv.c
|
|
|
bac598 |
+++ b/src/responder/pam/pamsrv.c
|
|
|
bac598 |
@@ -348,6 +348,15 @@ static int pam_process_init(TALLOC_CTX *mem_ctx,
|
|
|
bac598 |
}
|
|
|
bac598 |
}
|
|
|
bac598 |
|
|
|
bac598 |
+ ret = confdb_get_bool(pctx->rctx->cdb, CONFDB_PAM_CONF_ENTRY,
|
|
|
bac598 |
+ CONFDB_PAM_GSSAPI_CHECK_UPN, true,
|
|
|
bac598 |
+ &pctx->gssapi_check_upn);
|
|
|
bac598 |
+ if (ret != EOK) {
|
|
|
bac598 |
+ DEBUG(SSSDBG_FATAL_FAILURE, "Failed to read %s [%d]: %s\n",
|
|
|
bac598 |
+ CONFDB_PAM_GSSAPI_CHECK_UPN, ret, sss_strerror(ret));
|
|
|
bac598 |
+ goto done;
|
|
|
bac598 |
+ }
|
|
|
bac598 |
+
|
|
|
bac598 |
/* The responder is initialized. Now tell it to the monitor. */
|
|
|
bac598 |
ret = sss_monitor_service_init(rctx, rctx->ev, SSS_BUS_PAM,
|
|
|
bac598 |
SSS_PAM_SBUS_SERVICE_NAME,
|
|
|
bac598 |
diff --git a/src/responder/pam/pamsrv.h b/src/responder/pam/pamsrv.h
|
|
|
bac598 |
index 730dee288..bf4dd75b0 100644
|
|
|
bac598 |
--- a/src/responder/pam/pamsrv.h
|
|
|
bac598 |
+++ b/src/responder/pam/pamsrv.h
|
|
|
bac598 |
@@ -65,6 +65,7 @@ struct pam_ctx {
|
|
|
bac598 |
|
|
|
bac598 |
/* List of PAM services that are allowed to authenticate with GSSAPI. */
|
|
|
bac598 |
char **gssapi_services;
|
|
|
bac598 |
+ bool gssapi_check_upn;
|
|
|
bac598 |
};
|
|
|
bac598 |
|
|
|
bac598 |
struct pam_auth_req {
|
|
|
bac598 |
--
|
|
|
bac598 |
2.21.3
|
|
|
bac598 |
|