From 8ec8702a9f06f7c4fe2f4bbfed33a0b3b73f1961 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Tue, 18 Sep 2018 18:15:02 +0200 Subject: [PATCH 38/47] PAM: add p11_wait_for_card_timeout option If the --wait_for_card is used to call p11_child the PAM responder should be prepared to wait longer until p11_child can return successfully. Related to https://pagure.io/SSSD/sssd/issue/3650 Reviewed-by: Jakub Hrozek (cherry picked from commit 2e4ecf5a866b212bef44e262fd90c67a88dc616a) --- src/confdb/confdb.h | 1 + src/config/SSSDConfig/__init__.py.in | 1 + src/config/cfg_rules.ini | 1 + src/config/etc/sssd.api.conf | 1 + src/man/sssd.conf.5.xml | 14 ++++++++++++++ src/responder/pam/pamsrv_cmd.c | 15 +++++++++++++++ src/util/util.h | 1 + 7 files changed, 34 insertions(+) diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h index 625d156267ebf5f59e3974663256acfbb5f3b027..87904c2146b33b57106ac3799c5a67ee02387e9b 100644 --- a/src/confdb/confdb.h +++ b/src/confdb/confdb.h @@ -130,6 +130,7 @@ #define CONFDB_PAM_CERT_AUTH "pam_cert_auth" #define CONFDB_PAM_CERT_DB_PATH "pam_cert_db_path" #define CONFDB_PAM_P11_CHILD_TIMEOUT "p11_child_timeout" +#define CONFDB_PAM_WAIT_FOR_CARD_TIMEOUT "p11_wait_for_card_timeout" #define CONFDB_PAM_APP_SERVICES "pam_app_services" #define CONFDB_PAM_P11_ALLOWED_SERVICES "pam_p11_allowed_services" diff --git a/src/config/SSSDConfig/__init__.py.in b/src/config/SSSDConfig/__init__.py.in index 81a03adfe91120233afbaed4d2522788b56bea94..4d1dba2d22eae4716fbabe3a3957952f7cd17751 100644 --- a/src/config/SSSDConfig/__init__.py.in +++ b/src/config/SSSDConfig/__init__.py.in @@ -104,6 +104,7 @@ option_strings = { 'p11_child_timeout' : _('How many seconds will pam_sss wait for p11_child to finish'), 'pam_app_services' : _('Which PAM services are permitted to contact application domains'), 'pam_p11_allowed_services' : _('Allowed services for using smartcards'), + 'p11_wait_for_card_timeout' : _('Additional timeout to wait for a card if requested'), # [sudo] 'sudo_timed' : _('Whether to evaluate the time-based attributes in sudo rules'), diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini index 36e83a932d6b66cae129a03fb137ba5e4e3092b2..717ccfa3f382b92800bf00ed79f68641a5a83d5c 100644 --- a/src/config/cfg_rules.ini +++ b/src/config/cfg_rules.ini @@ -127,6 +127,7 @@ option = pam_cert_db_path option = p11_child_timeout option = pam_app_services option = pam_p11_allowed_services +option = p11_wait_for_card_timeout [rule/allowed_sudo_options] validator = ini_allowed_options diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf index 52494c0e6d50efc2d31c56c0fe023dc9c07e35ba..bb686c34480be27d0829b57a853fa05921730630 100644 --- a/src/config/etc/sssd.api.conf +++ b/src/config/etc/sssd.api.conf @@ -76,6 +76,7 @@ pam_cert_db_path = str, None, false p11_child_timeout = int, None, false pam_app_services = str, None, false pam_p11_allowed_services = str, None, false +p11_wait_for_card_timeout = int, None, false [sudo] # sudo service diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml index c1e38950f99cb8df4c59fe10866632030d3c6f25..4df0163311fb3845e6a027be7d0b500cb5d2f0b6 100644 --- a/src/man/sssd.conf.5.xml +++ b/src/man/sssd.conf.5.xml @@ -1464,6 +1464,20 @@ pam_p11_allowed_services = +my_pam_service, -login + + p11_wait_for_card_timeout (integer) + + + If Smartcard authentication is required how many + extra seconds in addition to p11_child_timeout + should the PAM responder wait until a Smartcard is + inserted. + + + Default: 60 + + + diff --git a/src/responder/pam/pamsrv_cmd.c b/src/responder/pam/pamsrv_cmd.c index 817f3c5134ba4c7358ffb4fbf3c6008fa23ffe0e..c8df32de9e72e9f5ce33e26f0a13101a99f01d5f 100644 --- a/src/responder/pam/pamsrv_cmd.c +++ b/src/responder/pam/pamsrv_cmd.c @@ -1297,6 +1297,7 @@ static errno_t check_cert(TALLOC_CTX *mctx, struct pam_data *pd) { int p11_child_timeout; + int wait_for_card_timeout; char *cert_verification_opts; errno_t ret; struct tevent_req *req; @@ -1311,6 +1312,20 @@ static errno_t check_cert(TALLOC_CTX *mctx, ret, sss_strerror(ret)); return ret; } + if ((pd->cli_flags & PAM_CLI_FLAGS_REQUIRE_CERT_AUTH) && pd->priv == 1) { + ret = confdb_get_int(pctx->rctx->cdb, CONFDB_PAM_CONF_ENTRY, + CONFDB_PAM_WAIT_FOR_CARD_TIMEOUT, + P11_WAIT_FOR_CARD_TIMEOUT_DEFAULT, + &wait_for_card_timeout); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "Failed to read wait_for_card_timeout from confdb: [%d]: %s\n", + ret, sss_strerror(ret)); + return ret; + } + + p11_child_timeout += wait_for_card_timeout; + } ret = confdb_get_string(pctx->rctx->cdb, mctx, CONFDB_MONITOR_CONF_ENTRY, CONFDB_MONITOR_CERT_VERIFICATION, NULL, diff --git a/src/util/util.h b/src/util/util.h index 59e7a96ba58aa9400166514064922d25fb713deb..e3e91009728cd8a5a92701220c06e8c378f47431 100644 --- a/src/util/util.h +++ b/src/util/util.h @@ -724,6 +724,7 @@ errno_t create_preauth_indicator(void); #define P11_CHILD_LOG_FILE "p11_child" #define P11_CHILD_PATH SSSD_LIBEXEC_PATH"/p11_child" #define P11_CHILD_TIMEOUT_DEFAULT 10 +#define P11_WAIT_FOR_CARD_TIMEOUT_DEFAULT 60 #endif /* SSSD_LIBEXEC_PATH */ #endif /* __SSSD_UTIL_H__ */ -- 2.14.4