From 3ed254765fc92e9cc9e4c35335818eaf1256e0d6 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Wed, 3 Jun 2020 20:36:54 +0200 Subject: [PATCH 22/22] pam_sss: special handling for gdm-smartcard The gdm-smartcard service is special since it is triggered by the presence of a Smartcard and even in the case of an error it will immediately try again. To break this loop we should ask for an user input and asking for a PIN is most straight forward and would show the same behavior as pam_pkcs11. Additionally it does not make sense to fall back the a password prompt for gdm-smartcard so also here a PIN prompt should be shown. Resolves: https://github.com/SSSD/sssd/issues/5190 Reviewed-by: Alexey Tikhonov --- src/sss_client/pam_sss.c | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c index 7e59f0487..093e53af5 100644 --- a/src/sss_client/pam_sss.c +++ b/src/sss_client/pam_sss.c @@ -1835,8 +1835,13 @@ static int prompt_sc_pin(pam_handle_t *pamh, struct pam_items *pi) struct pam_message m[2] = { { 0 }, { 0 } }; struct pam_response *resp = NULL; struct cert_auth_info *cai = pi->selected_cert; + struct cert_auth_info empty_cai = { NULL, NULL, discard_const("Smartcard"), + NULL, NULL, NULL, NULL, NULL }; - if (cai == NULL || cai->token_name == NULL || *cai->token_name == '\0') { + if (cai == NULL && SERVICE_IS_GDM_SMARTCARD(pi)) { + cai = &empty_cai; + } else if (cai == NULL || cai->token_name == NULL + || *cai->token_name == '\0') { return PAM_SYSTEM_ERR; } @@ -2188,6 +2193,9 @@ static int get_authtok_for_authentication(pam_handle_t *pamh, } } ret = prompt_sc_pin(pamh, pi); + } else if (SERVICE_IS_GDM_SMARTCARD(pi)) { + /* Use pin prompt as fallback for gdm-smartcard */ + ret = prompt_sc_pin(pamh, pi); } else { ret = prompt_password(pamh, pi, _("Password: ")); } @@ -2496,7 +2504,7 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh, { int ret; int pam_status; - struct pam_items pi; + struct pam_items pi = { 0 }; uint32_t flags = 0; const int *exp_data; int *pw_exp_data; @@ -2570,7 +2578,8 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh, /* * Since we are only interested in the result message * and will always use password authentication - * as a fallback, errors can be ignored here. + * as a fallback (except for gdm-smartcard), + * errors can be ignored here. */ } } @@ -2588,7 +2597,6 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh, quiet_mode); if (ret != PAM_SUCCESS) { D(("check_login_token_name failed.\n")); - return ret; } } -- 2.21.3