|
|
71e593 |
From f743c82d11ffafa1a48f9b7108eff072ecc9ab1c Mon Sep 17 00:00:00 2001
|
|
|
71e593 |
From: Sumit Bose <sbose@redhat.com>
|
|
|
71e593 |
Date: Tue, 9 Oct 2018 13:25:35 +0200
|
|
|
71e593 |
Subject: [PATCH 47/47] PAM: return short name for files provider users
|
|
|
71e593 |
|
|
|
71e593 |
If the 'allow_missing_name' option is used with pam_sss and the user
|
|
|
71e593 |
name will be determined based on the certificate content and the mapping
|
|
|
71e593 |
rules the PAM responder will by default return the fully-qualified name
|
|
|
71e593 |
of the user which is then later used by other PAM modules as well.
|
|
|
71e593 |
|
|
|
71e593 |
For local users which are configured to use SSSD for Smartcard
|
|
|
71e593 |
authentication this might cause issues in other PAM modules because they
|
|
|
71e593 |
are not aware of the fully-qualified name and will treat the user as
|
|
|
71e593 |
unknown.
|
|
|
71e593 |
|
|
|
71e593 |
With this patch the PAM responder will return the short name for all
|
|
|
71e593 |
users handled by the files provider.
|
|
|
71e593 |
|
|
|
71e593 |
Related to https://pagure.io/SSSD/sssd/issue/3848
|
|
|
71e593 |
|
|
|
71e593 |
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
|
|
|
71e593 |
(cherry picked from commit dbd717fe5b7d8dd640b6ade435b49edb3db5280a)
|
|
|
71e593 |
---
|
|
|
71e593 |
src/responder/pam/pamsrv.h | 3 ++-
|
|
|
71e593 |
src/responder/pam/pamsrv_cmd.c | 13 +++++++++----
|
|
|
71e593 |
src/responder/pam/pamsrv_p11.c | 32 +++++++++++++++++++++++++++++---
|
|
|
71e593 |
3 files changed, 40 insertions(+), 8 deletions(-)
|
|
|
71e593 |
|
|
|
71e593 |
diff --git a/src/responder/pam/pamsrv.h b/src/responder/pam/pamsrv.h
|
|
|
71e593 |
index 60aa97967456b9b7ab35e64f103c1c9a17bef3a9..3a927bb39b1e03735c237cc6b5a33234c2f4e2ef 100644
|
|
|
71e593 |
--- a/src/responder/pam/pamsrv.h
|
|
|
71e593 |
+++ b/src/responder/pam/pamsrv.h
|
|
|
71e593 |
@@ -108,7 +108,8 @@ struct tevent_req *pam_check_cert_send(TALLOC_CTX *mem_ctx,
|
|
|
71e593 |
errno_t pam_check_cert_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
|
|
|
71e593 |
struct cert_auth_info **cert_list);
|
|
|
71e593 |
|
|
|
71e593 |
-errno_t add_pam_cert_response(struct pam_data *pd, const char *sysdb_username,
|
|
|
71e593 |
+errno_t add_pam_cert_response(struct pam_data *pd, struct sss_domain_info *dom,
|
|
|
71e593 |
+ const char *sysdb_username,
|
|
|
71e593 |
struct cert_auth_info *cert_info,
|
|
|
71e593 |
enum response_type type);
|
|
|
71e593 |
|
|
|
71e593 |
diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c
|
|
|
71e593 |
index a22afd225894872847a0fb13e202f927fd2ae124..553bf8fbbdb485f4a7b2610b894b1a78b4e47317 100644
|
|
|
71e593 |
--- a/src/responder/pam/pamsrv_cmd.c
|
|
|
71e593 |
+++ b/src/responder/pam/pamsrv_cmd.c
|
|
|
71e593 |
@@ -1645,7 +1645,8 @@ static void pam_forwarder_lookup_by_cert_done(struct tevent_req *req)
|
|
|
71e593 |
preq->current_cert != NULL;
|
|
|
71e593 |
preq->current_cert = sss_cai_get_next(preq->current_cert)) {
|
|
|
71e593 |
|
|
|
71e593 |
- ret = add_pam_cert_response(preq->pd, "",
|
|
|
71e593 |
+ ret = add_pam_cert_response(preq->pd,
|
|
|
71e593 |
+ preq->cctx->rctx->domains, "",
|
|
|
71e593 |
preq->current_cert,
|
|
|
71e593 |
preq->cctx->rctx->domains->user_name_hint
|
|
|
71e593 |
? SSS_PAM_CERT_INFO_WITH_HINT
|
|
|
71e593 |
@@ -1699,7 +1700,8 @@ static void pam_forwarder_lookup_by_cert_done(struct tevent_req *req)
|
|
|
71e593 |
|
|
|
71e593 |
if (preq->cctx->rctx->domains->user_name_hint
|
|
|
71e593 |
&& preq->pd->cmd == SSS_PAM_PREAUTH) {
|
|
|
71e593 |
- ret = add_pam_cert_response(preq->pd, cert_user,
|
|
|
71e593 |
+ ret = add_pam_cert_response(preq->pd,
|
|
|
71e593 |
+ preq->cctx->rctx->domains, cert_user,
|
|
|
71e593 |
preq->cert_list,
|
|
|
71e593 |
SSS_PAM_CERT_INFO_WITH_HINT);
|
|
|
71e593 |
preq->pd->pam_status = PAM_SUCCESS;
|
|
|
71e593 |
@@ -1725,7 +1727,8 @@ static void pam_forwarder_lookup_by_cert_done(struct tevent_req *req)
|
|
|
71e593 |
* SSS_PAM_CERT_INFO message to send the name to the caller. */
|
|
|
71e593 |
if (preq->pd->cmd == SSS_PAM_AUTHENTICATE
|
|
|
71e593 |
&& preq->pd->logon_name == NULL) {
|
|
|
71e593 |
- ret = add_pam_cert_response(preq->pd, cert_user,
|
|
|
71e593 |
+ ret = add_pam_cert_response(preq->pd,
|
|
|
71e593 |
+ preq->cctx->rctx->domains, cert_user,
|
|
|
71e593 |
preq->cert_list,
|
|
|
71e593 |
SSS_PAM_CERT_INFO);
|
|
|
71e593 |
if (ret != EOK) {
|
|
|
71e593 |
@@ -2117,7 +2120,9 @@ static void pam_dom_forwarder(struct pam_auth_req *preq)
|
|
|
71e593 |
"the backend.\n");
|
|
|
71e593 |
}
|
|
|
71e593 |
|
|
|
71e593 |
- ret = add_pam_cert_response(preq->pd, cert_user,
|
|
|
71e593 |
+ ret = add_pam_cert_response(preq->pd,
|
|
|
71e593 |
+ preq->cctx->rctx->domains,
|
|
|
71e593 |
+ cert_user,
|
|
|
71e593 |
preq->current_cert,
|
|
|
71e593 |
SSS_PAM_CERT_INFO);
|
|
|
71e593 |
if (ret != EOK) {
|
|
|
71e593 |
diff --git a/src/responder/pam/pamsrv_p11.c b/src/responder/pam/pamsrv_p11.c
|
|
|
71e593 |
index 491bd2b01d7bf9137b37c35f9da9eca1eed95a6d..785b29c99a65ec7167b31f746fd9a897b038d817 100644
|
|
|
71e593 |
--- a/src/responder/pam/pamsrv_p11.c
|
|
|
71e593 |
+++ b/src/responder/pam/pamsrv_p11.c
|
|
|
71e593 |
@@ -1145,7 +1145,8 @@ static errno_t pack_cert_data(TALLOC_CTX *mem_ctx, const char *sysdb_username,
|
|
|
71e593 |
* used when running gdm-password. */
|
|
|
71e593 |
#define PKCS11_LOGIN_TOKEN_ENV_NAME "PKCS11_LOGIN_TOKEN_NAME"
|
|
|
71e593 |
|
|
|
71e593 |
-errno_t add_pam_cert_response(struct pam_data *pd, const char *sysdb_username,
|
|
|
71e593 |
+errno_t add_pam_cert_response(struct pam_data *pd, struct sss_domain_info *dom,
|
|
|
71e593 |
+ const char *sysdb_username,
|
|
|
71e593 |
struct cert_auth_info *cert_info,
|
|
|
71e593 |
enum response_type type)
|
|
|
71e593 |
{
|
|
|
71e593 |
@@ -1153,6 +1154,10 @@ errno_t add_pam_cert_response(struct pam_data *pd, const char *sysdb_username,
|
|
|
71e593 |
char *env = NULL;
|
|
|
71e593 |
size_t msg_len;
|
|
|
71e593 |
int ret;
|
|
|
71e593 |
+ char *short_name = NULL;
|
|
|
71e593 |
+ char *domain_name = NULL;
|
|
|
71e593 |
+ const char *cert_info_name = sysdb_username;
|
|
|
71e593 |
+
|
|
|
71e593 |
|
|
|
71e593 |
if (type != SSS_PAM_CERT_INFO && type != SSS_PAM_CERT_INFO_WITH_HINT) {
|
|
|
71e593 |
DEBUG(SSSDBG_CRIT_FAILURE, "Invalid response type [%d].\n", type);
|
|
|
71e593 |
@@ -1174,9 +1179,30 @@ errno_t add_pam_cert_response(struct pam_data *pd, const char *sysdb_username,
|
|
|
71e593 |
* Smartcard. If this type of name is irritating at the PIN prompt or the
|
|
|
71e593 |
* re_expression config option was set in a way that user@domain cannot be
|
|
|
71e593 |
* handled anymore some more logic has to be added here. But for the time
|
|
|
71e593 |
- * being I think using sysdb_username is fine. */
|
|
|
71e593 |
+ * being I think using sysdb_username is fine.
|
|
|
71e593 |
+ * As special case is the files provider which handles local users which
|
|
|
71e593 |
+ * by definition only have a short name. To avoid confusion by other
|
|
|
71e593 |
+ * modules on the PAM stack the short name is returned in this case. */
|
|
|
71e593 |
|
|
|
71e593 |
- ret = pack_cert_data(pd, sysdb_username, cert_info, &msg, &msg_len);
|
|
|
71e593 |
+ if (sysdb_username != NULL) {
|
|
|
71e593 |
+ ret = sss_parse_internal_fqname(pd, sysdb_username,
|
|
|
71e593 |
+ &short_name, &domain_name);
|
|
|
71e593 |
+ if (ret != EOK) {
|
|
|
71e593 |
+ DEBUG(SSSDBG_CRIT_FAILURE, "Unable to parse name '%s' [%d]: %s, "
|
|
|
71e593 |
+ "using full name.\n",
|
|
|
71e593 |
+ sysdb_username, ret, sss_strerror(ret));
|
|
|
71e593 |
+ } else {
|
|
|
71e593 |
+ if (domain_name != NULL
|
|
|
71e593 |
+ && is_files_provider(find_domain_by_name(dom, domain_name,
|
|
|
71e593 |
+ false))) {
|
|
|
71e593 |
+ cert_info_name = short_name;
|
|
|
71e593 |
+ }
|
|
|
71e593 |
+ }
|
|
|
71e593 |
+ }
|
|
|
71e593 |
+
|
|
|
71e593 |
+ ret = pack_cert_data(pd, cert_info_name, cert_info, &msg, &msg_len);
|
|
|
71e593 |
+ talloc_free(short_name);
|
|
|
71e593 |
+ talloc_free(domain_name);
|
|
|
71e593 |
if (ret != EOK) {
|
|
|
71e593 |
DEBUG(SSSDBG_OP_FAILURE, "pack_cert_data failed.\n");
|
|
|
71e593 |
return ret;
|
|
|
71e593 |
--
|
|
|
71e593 |
2.14.4
|
|
|
71e593 |
|