|
 |
71e593 |
From 8ec8702a9f06f7c4fe2f4bbfed33a0b3b73f1961 Mon Sep 17 00:00:00 2001
|
|
|
71e593 |
From: Sumit Bose <sbose@redhat.com>
|
|
|
71e593 |
Date: Tue, 18 Sep 2018 18:15:02 +0200
|
|
|
71e593 |
Subject: [PATCH 38/47] PAM: add p11_wait_for_card_timeout option
|
|
|
71e593 |
|
|
|
71e593 |
If the --wait_for_card is used to call p11_child the PAM responder
|
|
|
71e593 |
should be prepared to wait longer until p11_child can return
|
|
|
71e593 |
successfully.
|
|
|
71e593 |
|
|
|
71e593 |
Related to https://pagure.io/SSSD/sssd/issue/3650
|
|
|
71e593 |
|
|
|
71e593 |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
71e593 |
(cherry picked from commit 2e4ecf5a866b212bef44e262fd90c67a88dc616a)
|
|
|
71e593 |
---
|
|
|
71e593 |
src/confdb/confdb.h | 1 +
|
|
|
71e593 |
src/config/SSSDConfig/__init__.py.in | 1 +
|
|
|
71e593 |
src/config/cfg_rules.ini | 1 +
|
|
|
71e593 |
src/config/etc/sssd.api.conf | 1 +
|
|
|
71e593 |
src/man/sssd.conf.5.xml | 14 ++++++++++++++
|
|
|
71e593 |
src/responder/pam/pamsrv_cmd.c | 15 +++++++++++++++
|
|
|
71e593 |
src/util/util.h | 1 +
|
|
|
71e593 |
7 files changed, 34 insertions(+)
|
|
|
71e593 |
|
|
|
71e593 |
diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h
|
|
|
71e593 |
index 625d156267ebf5f59e3974663256acfbb5f3b027..87904c2146b33b57106ac3799c5a67ee02387e9b 100644
|
|
|
71e593 |
--- a/src/confdb/confdb.h
|
|
|
71e593 |
+++ b/src/confdb/confdb.h
|
|
|
71e593 |
@@ -130,6 +130,7 @@
|
|
|
71e593 |
#define CONFDB_PAM_CERT_AUTH "pam_cert_auth"
|
|
|
71e593 |
#define CONFDB_PAM_CERT_DB_PATH "pam_cert_db_path"
|
|
|
71e593 |
#define CONFDB_PAM_P11_CHILD_TIMEOUT "p11_child_timeout"
|
|
|
71e593 |
+#define CONFDB_PAM_WAIT_FOR_CARD_TIMEOUT "p11_wait_for_card_timeout"
|
|
|
71e593 |
#define CONFDB_PAM_APP_SERVICES "pam_app_services"
|
|
|
71e593 |
#define CONFDB_PAM_P11_ALLOWED_SERVICES "pam_p11_allowed_services"
|
|
|
71e593 |
|
|
|
71e593 |
diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in
|
|
|
71e593 |
index 81a03adfe91120233afbaed4d2522788b56bea94..4d1dba2d22eae4716fbabe3a3957952f7cd17751 100644
|
|
|
71e593 |
--- a/src/config/SSSDConfig/__init__.py.in
|
|
|
71e593 |
+++ b/src/config/SSSDConfig/__init__.py.in
|
|
|
71e593 |
@@ -104,6 +104,7 @@ option_strings = {
|
|
|
71e593 |
'p11_child_timeout' : _('How many seconds will pam_sss wait for p11_child to finish'),
|
|
|
71e593 |
'pam_app_services' : _('Which PAM services are permitted to contact application domains'),
|
|
|
71e593 |
'pam_p11_allowed_services' : _('Allowed services for using smartcards'),
|
|
|
71e593 |
+ 'p11_wait_for_card_timeout' : _('Additional timeout to wait for a card if requested'),
|
|
|
71e593 |
|
|
|
71e593 |
# [sudo]
|
|
|
71e593 |
'sudo_timed' : _('Whether to evaluate the time-based attributes in sudo rules'),
|
|
|
71e593 |
diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini
|
|
|
71e593 |
index 36e83a932d6b66cae129a03fb137ba5e4e3092b2..717ccfa3f382b92800bf00ed79f68641a5a83d5c 100644
|
|
|
71e593 |
--- a/src/config/cfg_rules.ini
|
|
|
71e593 |
+++ b/src/config/cfg_rules.ini
|
|
|
71e593 |
@@ -127,6 +127,7 @@ option = pam_cert_db_path
|
|
|
71e593 |
option = p11_child_timeout
|
|
|
71e593 |
option = pam_app_services
|
|
|
71e593 |
option = pam_p11_allowed_services
|
|
|
71e593 |
+option = p11_wait_for_card_timeout
|
|
|
71e593 |
|
|
|
71e593 |
[rule/allowed_sudo_options]
|
|
|
71e593 |
validator = ini_allowed_options
|
|
|
71e593 |
diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf
|
|
|
71e593 |
index 52494c0e6d50efc2d31c56c0fe023dc9c07e35ba..bb686c34480be27d0829b57a853fa05921730630 100644
|
|
|
71e593 |
--- a/src/config/etc/sssd.api.conf
|
|
|
71e593 |
+++ b/src/config/etc/sssd.api.conf
|
|
|
71e593 |
@@ -76,6 +76,7 @@ pam_cert_db_path = str, None, false
|
|
|
71e593 |
p11_child_timeout = int, None, false
|
|
|
71e593 |
pam_app_services = str, None, false
|
|
|
71e593 |
pam_p11_allowed_services = str, None, false
|
|
|
71e593 |
+p11_wait_for_card_timeout = int, None, false
|
|
|
71e593 |
|
|
|
71e593 |
[sudo]
|
|
|
71e593 |
# sudo service
|
|
|
71e593 |
diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml
|
|
|
71e593 |
index c1e38950f99cb8df4c59fe10866632030d3c6f25..4df0163311fb3845e6a027be7d0b500cb5d2f0b6 100644
|
|
|
71e593 |
--- a/src/man/sssd.conf.5.xml
|
|
|
71e593 |
+++ b/src/man/sssd.conf.5.xml
|
|
|
71e593 |
@@ -1464,6 +1464,20 @@ pam_p11_allowed_services = +my_pam_service, -login
|
|
|
71e593 |
</para>
|
|
|
71e593 |
</listitem>
|
|
|
71e593 |
</varlistentry>
|
|
|
71e593 |
+ <varlistentry>
|
|
|
71e593 |
+ <term>p11_wait_for_card_timeout (integer)</term>
|
|
|
71e593 |
+ <listitem>
|
|
|
71e593 |
+ <para>
|
|
|
71e593 |
+ If Smartcard authentication is required how many
|
|
|
71e593 |
+ extra seconds in addition to p11_child_timeout
|
|
|
71e593 |
+ should the PAM responder wait until a Smartcard is
|
|
|
71e593 |
+ inserted.
|
|
|
71e593 |
+ </para>
|
|
|
71e593 |
+ <para>
|
|
|
71e593 |
+ Default: 60
|
|
|
71e593 |
+ </para>
|
|
|
71e593 |
+ </listitem>
|
|
|
71e593 |
+ </varlistentry>
|
|
|
71e593 |
</variablelist>
|
|
|
71e593 |
</refsect2>
|
|
|
71e593 |
|
|
|
71e593 |
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
|
|
|
71e593 |
index 817f3c5134ba4c7358ffb4fbf3c6008fa23ffe0e..c8df32de9e72e9f5ce33e26f0a13101a99f01d5f 100644
|
|
|
71e593 |
--- a/src/responder/pam/pamsrv_cmd.c
|
|
|
71e593 |
+++ b/src/responder/pam/pamsrv_cmd.c
|
|
|
71e593 |
@@ -1297,6 +1297,7 @@ static errno_t check_cert(TALLOC_CTX *mctx,
|
|
|
71e593 |
struct pam_data *pd)
|
|
|
71e593 |
{
|
|
|
71e593 |
int p11_child_timeout;
|
|
|
71e593 |
+ int wait_for_card_timeout;
|
|
|
71e593 |
char *cert_verification_opts;
|
|
|
71e593 |
errno_t ret;
|
|
|
71e593 |
struct tevent_req *req;
|
|
|
71e593 |
@@ -1311,6 +1312,20 @@ static errno_t check_cert(TALLOC_CTX *mctx,
|
|
|
71e593 |
ret, sss_strerror(ret));
|
|
|
71e593 |
return ret;
|
|
|
71e593 |
}
|
|
|
71e593 |
+ if ((pd->cli_flags & PAM_CLI_FLAGS_REQUIRE_CERT_AUTH) && pd->priv == 1) {
|
|
|
71e593 |
+ ret = confdb_get_int(pctx->rctx->cdb, CONFDB_PAM_CONF_ENTRY,
|
|
|
71e593 |
+ CONFDB_PAM_WAIT_FOR_CARD_TIMEOUT,
|
|
|
71e593 |
+ P11_WAIT_FOR_CARD_TIMEOUT_DEFAULT,
|
|
|
71e593 |
+ &wait_for_card_timeout);
|
|
|
71e593 |
+ if (ret != EOK) {
|
|
|
71e593 |
+ DEBUG(SSSDBG_CRIT_FAILURE,
|
|
|
71e593 |
+ "Failed to read wait_for_card_timeout from confdb: [%d]: %s\n",
|
|
|
71e593 |
+ ret, sss_strerror(ret));
|
|
|
71e593 |
+ return ret;
|
|
|
71e593 |
+ }
|
|
|
71e593 |
+
|
|
|
71e593 |
+ p11_child_timeout += wait_for_card_timeout;
|
|
|
71e593 |
+ }
|
|
|
71e593 |
|
|
|
71e593 |
ret = confdb_get_string(pctx->rctx->cdb, mctx, CONFDB_MONITOR_CONF_ENTRY,
|
|
|
71e593 |
CONFDB_MONITOR_CERT_VERIFICATION, NULL,
|
|
|
71e593 |
diff --git a/src/util/util.h b/src/util/util.h
|
|
|
71e593 |
index 59e7a96ba58aa9400166514064922d25fb713deb..e3e91009728cd8a5a92701220c06e8c378f47431 100644
|
|
|
71e593 |
--- a/src/util/util.h
|
|
|
71e593 |
+++ b/src/util/util.h
|
|
|
71e593 |
@@ -724,6 +724,7 @@ errno_t create_preauth_indicator(void);
|
|
|
71e593 |
#define P11_CHILD_LOG_FILE "p11_child"
|
|
|
71e593 |
#define P11_CHILD_PATH SSSD_LIBEXEC_PATH"/p11_child"
|
|
|
71e593 |
#define P11_CHILD_TIMEOUT_DEFAULT 10
|
|
|
71e593 |
+#define P11_WAIT_FOR_CARD_TIMEOUT_DEFAULT 60
|
|
|
71e593 |
#endif /* SSSD_LIBEXEC_PATH */
|
|
|
71e593 |
|
|
|
71e593 |
#endif /* __SSSD_UTIL_H__ */
|
|
|
71e593 |
--
|
|
|
71e593 |
2.14.4
|
|
|
71e593 |
|