From 0a637fff4fe575916bdae0eb17b7c36e8427308a Mon Sep 17 00:00:00 2001 From: Jakub Hrozek Date: Wed, 17 Apr 2019 15:07:43 +0200 Subject: [PATCH] PAM: Also cache SSS_PAM_PREAUTH Related: https://pagure.io/SSSD/sssd/issue/3960 Even if cached_auth_timeout was set, the pam responder would still forward the preauthentication requests to the back end. This could trigger unwanted traffic towards the KDCs. Reviewed-by: Sumit Bose (cherry picked from commit c911562d1bea8ae44e45e564c9df5df43d87b035) --- src/man/sssd.conf.5.xml | 4 +++- src/responder/pam/pamsrv_cmd.c | 40 +++++++++++++++------------------- 2 files changed, 21 insertions(+), 23 deletions(-) diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml index 274809e24..1ab7af00b 100644 --- a/src/man/sssd.conf.5.xml +++ b/src/man/sssd.conf.5.xml @@ -2960,7 +2960,9 @@ subdomain_inherit = ldap_purge_cache_timeout Specifies time in seconds since last successful online authentication for which user will be authenticated using cached credentials while - SSSD is in the online mode. + SSSD is in the online mode. If the credentials + are incorrect, SSSD falls back to online + authentication. This option's value is inherited by all trusted diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c index 6b2dc5bdc..00302be75 100644 --- a/src/responder/pam/pamsrv_cmd.c +++ b/src/responder/pam/pamsrv_cmd.c @@ -803,8 +803,9 @@ static void pam_reply(struct pam_auth_req *preq) pam_verbosity = DEFAULT_PAM_VERBOSITY; } - DEBUG(SSSDBG_FUNC_DATA, - "pam_reply called with result [%d]: %s.\n", + DEBUG(SSSDBG_TRACE_ALL, + "pam_reply initially called with result [%d]: %s. " + "this result might be changed during processing\n", pd->pam_status, pam_strerror(NULL, pd->pam_status)); if (pd->cmd == SSS_PAM_AUTHENTICATE @@ -886,6 +887,7 @@ static void pam_reply(struct pam_auth_req *preq) break; /* TODO: we need the pam session cookie here to make sure that cached * authentication was successful */ + case SSS_PAM_PREAUTH: case SSS_PAM_SETCRED: case SSS_PAM_ACCT_MGMT: case SSS_PAM_OPEN_SESSION: @@ -1067,6 +1069,8 @@ static void pam_reply(struct pam_auth_req *preq) } done: + DEBUG(SSSDBG_FUNC_DATA, "Returning [%d]: %s to the client\n", + pd->pam_status, pam_strerror(NULL, pd->pam_status)); sss_cmd_done(cctx, preq); } @@ -1949,21 +1953,6 @@ done: return ret; } -static bool pam_is_cmd_cachable(int cmd) -{ - bool is_cachable; - - switch(cmd) { - case SSS_PAM_AUTHENTICATE: - is_cachable = true; - break; - default: - is_cachable = false; - } - - return is_cachable; -} - static bool pam_is_authtok_cachable(struct sss_auth_token *authtok) { enum sss_authtok_type type; @@ -1988,11 +1977,18 @@ static bool pam_can_user_cache_auth(struct sss_domain_info *domain, errno_t ret; bool result = false; - if (!cached_auth_failed /* don't try cached auth again */ - && domain->cache_credentials - && domain->cached_auth_timeout > 0 - && pam_is_authtok_cachable(authtok) - && pam_is_cmd_cachable(pam_cmd)) { + if (cached_auth_failed) { + /* Do not retry indefinitely */ + return false; + } + + if (!domain->cache_credentials || domain->cached_auth_timeout <= 0) { + return false; + } + + if (pam_cmd == SSS_PAM_PREAUTH + || (pam_cmd == SSS_PAM_AUTHENTICATE + && pam_is_authtok_cachable(authtok))) { ret = pam_is_last_online_login_fresh(domain, user, domain->cached_auth_timeout, -- 2.19.2