Blame SOURCES/0057-krb5-return-to-responder-that-pkinit-is-not-availabl.patch

ecf709
From 01ed8c7d7fcd9090d0953f85ef0604cbcad4f48b Mon Sep 17 00:00:00 2001
ecf709
From: Sumit Bose <sbose@redhat.com>
ecf709
Date: Thu, 16 Mar 2017 20:43:08 +0100
ecf709
Subject: [PATCH 57/60] krb5: return to responder that pkinit is not available
ecf709
MIME-Version: 1.0
ecf709
Content-Type: text/plain; charset=UTF-8
ecf709
Content-Transfer-Encoding: 8bit
ecf709
ecf709
If pkinit is not available for a user but other authentication methods
ecf709
are SSSD should still fall back to local certificate based
ecf709
authentication if Smartcard credentials are provided.
ecf709
ecf709
Resolves https://pagure.io/SSSD/sssd/issue/3343
ecf709
ecf709
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
ecf709
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
ecf709
---
ecf709
 src/providers/krb5/krb5_child.c | 17 +++++++++++++----
ecf709
 1 file changed, 13 insertions(+), 4 deletions(-)
ecf709
ecf709
diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c
ecf709
index 777a25f2a0ea434dde12d2396f6a35c2a1b86cd0..a4128dda6b0861a95dba223047d66c4158b1afb6 100644
ecf709
--- a/src/providers/krb5/krb5_child.c
ecf709
+++ b/src/providers/krb5/krb5_child.c
ecf709
@@ -42,6 +42,10 @@
ecf709
 
ecf709
 #define SSSD_KRB5_CHANGEPW_PRINCIPAL "kadmin/changepw"
ecf709
 
ecf709
+#define IS_SC_AUTHTOK(tok) ( \
ecf709
+    sss_authtok_get_type((tok)) == SSS_AUTHTOK_TYPE_SC_PIN \
ecf709
+        || sss_authtok_get_type((tok)) == SSS_AUTHTOK_TYPE_SC_KEYPAD)
ecf709
+
ecf709
 enum k5c_fast_opt {
ecf709
     K5C_FAST_NEVER,
ecf709
     K5C_FAST_TRY,
ecf709
@@ -1529,12 +1533,17 @@ static krb5_error_code get_and_save_tgt(struct krb5_req *kr,
ecf709
              * pre-auth module is missing or no Smartcard is inserted and only
ecf709
              * pkinit is available KRB5_PREAUTH_FAILED is returned.
ecf709
              * ERR_NO_AUTH_METHOD_AVAILABLE is used to indicate to the
ecf709
-             * frontend that local authentication might be tried. */
ecf709
+             * frontend that local authentication might be tried.
ecf709
+             * Same is true if Smartcard credentials are given but only other
ecf709
+             * authentication methods are available. */
ecf709
             if (kr->pd->cmd == SSS_PAM_AUTHENTICATE
ecf709
                     && kerr == KRB5_PREAUTH_FAILED
ecf709
-                    && kr->password_prompting == false
ecf709
-                    && kr->otp == false
ecf709
-                    && kr->pkinit_prompting == false) {
ecf709
+                    && kr->pkinit_prompting == false
ecf709
+                    && (( kr->password_prompting == false
ecf709
+                              && kr->otp == false)
ecf709
+                            || ((kr->otp == true
ecf709
+                                    || kr->password_prompting == true)
ecf709
+                              && IS_SC_AUTHTOK(kr->pd->authtok))) ) {
ecf709
                 return ERR_NO_AUTH_METHOD_AVAILABLE;
ecf709
             }
ecf709
             return kerr;
ecf709
-- 
ecf709
2.9.3
ecf709