From 277cd1fa71222f3bdf4d8b39d0bce7d07d0df07b Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Mon, 24 Aug 2020 11:29:23 +0200
Subject: [PATCH] krb5: only try pkinit with Smartcard credentials

Currently pkinit is tried if a Smartcard is present. But depending on
the used PAM service and other configurations it might happen that the
user didn't provide the Smartcard PIN but e.g. the password. Hence,
before trying pkinit we should check if the right credentials are
available.

Resolves:
https://github.com/SSSD/sssd/issues/5290

Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
(cherry picked from commit bca413267f58395e22415edc662a7ba89fbe7b30)
---
 src/providers/krb5/krb5_child.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/providers/krb5/krb5_child.c b/src/providers/krb5/krb5_child.c
index 47eb181ba..d293d195d 100644
--- a/src/providers/krb5/krb5_child.c
+++ b/src/providers/krb5/krb5_child.c
@@ -805,7 +805,11 @@ static krb5_error_code sss_krb5_responder(krb5_context ctx,
                     return kerr;
                 }
             } else if (strcmp(question_list[c],
-                       KRB5_RESPONDER_QUESTION_PKINIT) == 0) {
+                              KRB5_RESPONDER_QUESTION_PKINIT) == 0
+                        && (sss_authtok_get_type(kr->pd->authtok)
+                                               == SSS_AUTHTOK_TYPE_SC_PIN
+                            || sss_authtok_get_type(kr->pd->authtok)
+                                               == SSS_AUTHTOK_TYPE_SC_KEYPAD)) {
                 return answer_pkinit(ctx, kr, rctx);
             }
         }
-- 
2.21.3