rpms / sssd

Clone
Source Code
GIT

Files

  1.   ecf7095b458fd37aa15bb4b2037d5dc9a7979e1c
  2.   SOURCES
  3.   0057-krb5-return-to-responder-that-pkinit-is-not-availabl.patch
Blob Blame History Raw 
From 01ed8c7d7fcd9090d0953f85ef0604cbcad4f48b Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Thu, 16 Mar 2017 20:43:08 +0100
Subject: [PATCH 57/60] krb5: return to responder that pkinit is not available
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

If pkinit is not available for a user but other authentication methods
are SSSD should still fall back to local certificate based
authentication if Smartcard credentials are provided.

Resolves https://pagure.io/SSSD/sssd/issue/3343

Reviewed-by: Jakub Hrozek <jhrozek@redhat.com>
Reviewed-by: Lukáš Slebodník <lslebodn@redhat.com>
---
 src/providers/krb5/krb5_child.c | 17 +++++++++++++----
 1 file changed, 13 insertions(+), 4 deletions(-)

diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c
index 777a25f2a0ea434dde12d2396f6a35c2a1b86cd0..a4128dda6b0861a95dba223047d66c4158b1afb6 100644
--- a/src/providers/krb5/krb5_child.c
+++ b/src/providers/krb5/krb5_child.c
@@ -42,6 +42,10 @@
 
 #define SSSD_KRB5_CHANGEPW_PRINCIPAL "kadmin/changepw"
 
+#define IS_SC_AUTHTOK(tok) ( \
+    sss_authtok_get_type((tok)) == SSS_AUTHTOK_TYPE_SC_PIN \
+        || sss_authtok_get_type((tok)) == SSS_AUTHTOK_TYPE_SC_KEYPAD)
+
 enum k5c_fast_opt {
     K5C_FAST_NEVER,
     K5C_FAST_TRY,
@@ -1529,12 +1533,17 @@ static krb5_error_code get_and_save_tgt(struct krb5_req *kr,
              * pre-auth module is missing or no Smartcard is inserted and only
              * pkinit is available KRB5_PREAUTH_FAILED is returned.
              * ERR_NO_AUTH_METHOD_AVAILABLE is used to indicate to the
-             * frontend that local authentication might be tried. */
+             * frontend that local authentication might be tried.
+             * Same is true if Smartcard credentials are given but only other
+             * authentication methods are available. */
             if (kr->pd->cmd == SSS_PAM_AUTHENTICATE
                     && kerr == KRB5_PREAUTH_FAILED
-                    && kr->password_prompting == false
-                    && kr->otp == false
-                    && kr->pkinit_prompting == false) {
+                    && kr->pkinit_prompting == false
+                    && (( kr->password_prompting == false
+                              && kr->otp == false)
+                            || ((kr->otp == true
+                                    || kr->password_prompting == true)
+                              && IS_SC_AUTHTOK(kr->pd->authtok))) ) {
                 return ERR_NO_AUTH_METHOD_AVAILABLE;
             }
             return kerr;
-- 
2.9.3

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation