|
 |
32a074 |
From 277cd1fa71222f3bdf4d8b39d0bce7d07d0df07b Mon Sep 17 00:00:00 2001
|
|
|
32a074 |
From: Sumit Bose <sbose@redhat.com>
|
|
|
32a074 |
Date: Mon, 24 Aug 2020 11:29:23 +0200
|
|
|
32a074 |
Subject: [PATCH] krb5: only try pkinit with Smartcard credentials
|
|
|
32a074 |
|
|
|
32a074 |
Currently pkinit is tried if a Smartcard is present. But depending on
|
|
|
32a074 |
the used PAM service and other configurations it might happen that the
|
|
|
32a074 |
user didn't provide the Smartcard PIN but e.g. the password. Hence,
|
|
|
32a074 |
before trying pkinit we should check if the right credentials are
|
|
|
32a074 |
available.
|
|
|
32a074 |
|
|
|
32a074 |
Resolves:
|
|
|
32a074 |
https://github.com/SSSD/sssd/issues/5290
|
|
|
32a074 |
|
|
|
32a074 |
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
|
|
|
32a074 |
(cherry picked from commit bca413267f58395e22415edc662a7ba89fbe7b30)
|
|
|
32a074 |
---
|
|
|
32a074 |
src/providers/krb5/krb5_child.c | 6 +++++-
|
|
|
32a074 |
1 file changed, 5 insertions(+), 1 deletion(-)
|
|
|
32a074 |
|
|
|
32a074 |
diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c
|
|
|
32a074 |
index 47eb181ba..d293d195d 100644
|
|
|
32a074 |
--- a/src/providers/krb5/krb5_child.c
|
|
|
32a074 |
+++ b/src/providers/krb5/krb5_child.c
|
|
|
32a074 |
@@ -805,7 +805,11 @@ static krb5_error_code sss_krb5_responder(krb5_context ctx,
|
|
|
32a074 |
return kerr;
|
|
|
32a074 |
}
|
|
|
32a074 |
} else if (strcmp(question_list[c],
|
|
|
32a074 |
- KRB5_RESPONDER_QUESTION_PKINIT) == 0) {
|
|
|
32a074 |
+ KRB5_RESPONDER_QUESTION_PKINIT) == 0
|
|
|
32a074 |
+ && (sss_authtok_get_type(kr->pd->authtok)
|
|
|
32a074 |
+ == SSS_AUTHTOK_TYPE_SC_PIN
|
|
|
32a074 |
+ || sss_authtok_get_type(kr->pd->authtok)
|
|
|
32a074 |
+ == SSS_AUTHTOK_TYPE_SC_KEYPAD)) {
|
|
|
32a074 |
return answer_pkinit(ctx, kr, rctx);
|
|
|
32a074 |
}
|
|
|
32a074 |
}
|
|
|
32a074 |
--
|
|
|
32a074 |
2.21.3
|
|
|
32a074 |
|