From 31e57432537b9d248839159d83cfa9049faf192b Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Fri, 19 Jun 2020 13:32:30 +0200
Subject: [PATCH] pam_sss: make sure old certificate data is removed before
retry
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
To avoid that certificates will be shown in the certificate selection
which are not available anymore they must be remove before a new request
to look up the certificates is send to SSSD's PAM responder.
Resolves: https://github.com/SSSD/sssd/issues/5190
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
---
src/sss_client/pam_sss.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
index e3ad2c9b2..6a3ba2f50 100644
--- a/src/sss_client/pam_sss.c
+++ b/src/sss_client/pam_sss.c
@@ -2467,6 +2467,8 @@ static int check_login_token_name(pam_handle_t *pamh, struct pam_items *pi,
&& strcmp(login_token_name,
pi->cert_list->token_name) != 0)) {
+ free_cert_list(pi->cert_list);
+ pi->cert_list = NULL;
if (retries < 0) {
ret = PAM_AUTHINFO_UNAVAIL;
goto done;
--
2.21.3