From 5af7fea571868eed16655adffcc9314911e12417 Mon Sep 17 00:00:00 2001

From: Lukas Slebodnik <lslebodn@redhat.com>

Date: Mon, 20 Oct 2014 22:21:25 +0200

Subject: [PATCH 75/87] PAM: Remove authtok from PAM stack with OTP

We remove the password from the PAM stack when OTP is used to make sure

that other pam modules (pam-gnome-keyring, pam_mount) cannot use it anymore

and have to request a password on their own.

Resolves:

    https://fedorahosted.org/sssd/ticket/2287

Reviewed-by: Nathaniel McCallum <npmccallum@redhat.com>

---

 src/providers/krb5/krb5_auth.c | 14 ++++++++++++++

 src/sss_client/pam_sss.c       | 16 +++++++++++++++-

 2 files changed, 29 insertions(+), 1 deletion(-)

diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c

index f539d5068ec29f7b06f734a3417864b43122b1b7..c96b7aee99da8c3d43a67a04bb1f67ee048d4705 100644

--- a/src/providers/krb5/krb5_auth.c

+++ b/src/providers/krb5/krb5_auth.c

@@ -1161,6 +1161,20 @@ static void krb5_auth_done(struct tevent_req *subreq)

         krb5_auth_store_creds(state->domain, pd);

     }

+    if (res->otp == true && pd->cmd == SSS_PAM_AUTHENTICATE) {

+        uint32_t otp_flag = 1;

+        ret = pam_add_response(pd, SSS_OTP, sizeof(uint32_t),

+                               (const uint8_t *) &otp_flag);

+        if (ret != EOK) {

+            DEBUG(SSSDBG_CRIT_FAILURE,

+                  "pam_add_response failed: %d (%s).\n",

+                  ret, sss_strerror(ret));

+            state->pam_status = PAM_SYSTEM_ERR;

+            state->dp_err = DP_ERR_OK;

+            goto done;

+        }

+    }

+

     state->pam_status = PAM_SUCCESS;

     state->dp_err = DP_ERR_OK;

     ret = EOK;

diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c

index abe9b05478cbf480b3430dccd1951e9bfb0e29c1..d64e826daeb80be8998ef3b410047e3a44051b07 100644

--- a/src/sss_client/pam_sss.c

+++ b/src/sss_client/pam_sss.c

@@ -206,7 +206,7 @@ static size_t add_string_item(enum pam_item_type type, const char *str,

     return rp;

 }

-static void overwrite_and_free_pam_items(struct pam_items *pi)

+static void overwrite_and_free_authtoks(struct pam_items *pi)

 {

     if (pi->pam_authtok != NULL) {

         _pam_overwrite_n((void *)pi->pam_authtok, pi->pam_authtok_size);

@@ -222,6 +222,11 @@ static void overwrite_and_free_pam_items(struct pam_items *pi)

     pi->pamstack_authtok = NULL;

     pi->pamstack_oldauthtok = NULL;

+}

+

+static void overwrite_and_free_pam_items(struct pam_items *pi)

+{

+    overwrite_and_free_authtoks(pi);

     free(pi->domain_name);

     pi->domain_name = NULL;

@@ -998,6 +1003,15 @@ static int eval_response(pam_handle_t *pamh, size_t buflen, uint8_t *buf,

                     D(("do_pam_conversation failed."));

                 }

                 break;

+            case SSS_OTP:

+                D(("OTP was used, removing authtokens."));

+                overwrite_and_free_authtoks(pi);

+                ret = pam_set_item(pamh, PAM_AUTHTOK, NULL);

+                if (ret != PAM_SUCCESS) {

+                    D(("Failed to remove PAM_AUTHTOK after using otp [%s]",

+                       pam_strerror(pamh,ret)));

+                }

+                break;

             default:

                 D(("Unknown response type [%d]", type));

         }

-- 

1.9.3