From bcb392e60c1935a98738988c5289585acd89ce82 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Mon, 21 Feb 2022 18:02:47 +0100 Subject: [PATCH 87/88] pam: better SC fallback message MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit If no suitable certificates were found or if gdm-smartcard was somehow activated without a Smartcard present ask to (re)-insert a Smartcard. Resolves: https://github.com/SSSD/sssd/issues/6022 Reviewed-by: Alexey Tikhonov Reviewed-by: Pavel Březina (cherry picked from commit 4d2277f8c3065771a8c3bbc7938309a4905640f0) Reviewed-by: Alexey Tikhonov Reviewed-by: Pavel Březina --- src/sss_client/pam_sss.c | 47 +++++++++++++++++++++++----------------- 1 file changed, 27 insertions(+), 20 deletions(-) diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c index 7084ce953..feb4837fb 100644 --- a/src/sss_client/pam_sss.c +++ b/src/sss_client/pam_sss.c @@ -1787,40 +1787,39 @@ static int prompt_multi_cert(pam_handle_t *pamh, struct pam_items *pi) return ret; } +#define SC_INSERT_PROMPT _("Please (re)insert (different) Smartcard") + static int prompt_sc_pin(pam_handle_t *pamh, struct pam_items *pi) { int ret; char *answer = NULL; - char *prompt; - size_t size; + char *prompt = NULL; size_t needed_size; const struct pam_conv *conv; const struct pam_message *mesg[2] = { NULL, NULL }; struct pam_message m[2] = { { 0 }, { 0 } }; struct pam_response *resp = NULL; struct cert_auth_info *cai = pi->selected_cert; - struct cert_auth_info empty_cai = { NULL, NULL, discard_const("Smartcard"), - NULL, NULL, NULL, NULL, NULL, NULL }; if (cai == NULL && SERVICE_IS_GDM_SMARTCARD(pi)) { - cai = &empty_cai; + ret = asprintf(&prompt, SC_INSERT_PROMPT); } else if (cai == NULL || cai->token_name == NULL || *cai->token_name == '\0') { - return EINVAL; + return PAM_SYSTEM_ERR; + } else { + ret = asprintf(&prompt, SC_PROMPT_FMT, cai->token_name); } - size = sizeof(SC_PROMPT_FMT) + strlen(cai->token_name); - prompt = malloc(size); - if (prompt == NULL) { - D(("malloc failed.")); - return ENOMEM; + if (ret == -1) { + D(("asprintf failed.")); + return PAM_SYSTEM_ERR; } - ret = snprintf(prompt, size, SC_PROMPT_FMT, cai->token_name); - if (ret < 0 || ret >= size) { - D(("snprintf failed.")); - free(prompt); - return EFAULT; + if (cai == NULL) { + ret = do_pam_conversation(pamh, PAM_TEXT_INFO, prompt, NULL, NULL); + if (ret != PAM_SUCCESS) { + D(("Conversation failure: %s, ignored", pam_strerror(pamh, ret))); + } } if (pi->user_name_hint) { @@ -1907,10 +1906,18 @@ static int prompt_sc_pin(pam_handle_t *pamh, struct pam_items *pi) } } - if (answer == NULL) { - pi->pam_authtok = NULL; - pi->pam_authtok_type = SSS_AUTHTOK_TYPE_EMPTY; - pi->pam_authtok_size=0; + if (cai == NULL) { + /* it is expected that the user just replaces the Smartcard which + * would trigger gdm to restart the PAM module, so it is not + * expected that this part of the code is reached. */ + ret = PAM_AUTHINFO_UNAVAIL; + goto done; + } + + if (answer == NULL || *answer == '\0') { + D(("Missing PIN.")); + ret = PAM_CRED_INSUFFICIENT; + goto done; } else { ret = sss_auth_pack_sc_blob(answer, 0, cai->token_name, 0, -- 2.35.3