From 55470b17eacdf97696b4736e9eb8bd2618601475 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Wed, 7 Nov 2018 11:49:11 +0100
Subject: [PATCH] pam_sss: return PAM_AUTHINFO_UNAVAIL if sc options are set
If pam_sss is called for PAM_USER root it currently returns
PAM_USER_UNKNOWN since SSSD does not handle root. To meet the documented
behavior if one to the sc options is used pam_sss should return
PAM_AUTHINFO_UNAVAIL in this case as well.
Related to https://pagure.io/SSSD/sssd/issue/3876
Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
---
src/sss_client/pam_sss.c | 4 ++++
src/tests/intg/test_pam_responder.py | 28 ++++++++++++++++++++++++++++
2 files changed, 32 insertions(+)
diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
index b4c1036ad..69dc50dfd 100644
--- a/src/sss_client/pam_sss.c
+++ b/src/sss_client/pam_sss.c
@@ -2378,6 +2378,10 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh,
ret = get_pam_items(pamh, flags, &pi);
if (ret != PAM_SUCCESS) {
D(("get items returned error: %s", pam_strerror(pamh,ret)));
+ if ((flags & PAM_CLI_FLAGS_TRY_CERT_AUTH)
+ || (flags & PAM_CLI_FLAGS_REQUIRE_CERT_AUTH) ) {
+ return PAM_AUTHINFO_UNAVAIL;
+ }
if (flags & PAM_CLI_FLAGS_IGNORE_UNKNOWN_USER && ret == PAM_USER_UNKNOWN) {
ret = PAM_IGNORE;
}
diff --git a/src/tests/intg/test_pam_responder.py b/src/tests/intg/test_pam_responder.py
index 06f69a3d8..d1ad9affd 100644
--- a/src/tests/intg/test_pam_responder.py
+++ b/src/tests/intg/test_pam_responder.py
@@ -388,3 +388,31 @@ def test_try_sc_auth(simple_pam_cert_auth, env_for_sssctl):
raise Exception("sssctl failed")
assert err.find("pam_authenticate for user [user1]: Success") != -1
+
+
+def test_try_sc_auth_root(simple_pam_cert_auth, env_for_sssctl):
+ """
+ Make sure pam_sss returns PAM_AUTHINFO_UNAVAIL even for root if
+ try_cert_auth is set.
+ """
+ sssctl = subprocess.Popen(["sssctl", "user-checks", "root",
+ "--action=auth",
+ "--service=pam_sss_try_sc"],
+ universal_newlines=True,
+ env=env_for_sssctl, stdin=subprocess.PIPE,
+ stdout=subprocess.PIPE, stderr=subprocess.PIPE)
+
+ try:
+ out, err = sssctl.communicate(input="123456")
+ except:
+ sssctl.kill()
+ out, err = sssctl.communicate()
+
+ sssctl.stdin.close()
+ sssctl.stdout.close()
+
+ if sssctl.wait() != 0:
+ raise Exception("sssctl failed")
+
+ assert err.find("pam_authenticate for user [root]: Authentication " +
+ "service cannot retrieve authentication info") != -1
--
2.19.1