From b1185573e31f08d4d37ae763b5d7e7f0a37e1244 Mon Sep 17 00:00:00 2001 From: ikerexxe Date: Tue, 5 May 2020 14:40:09 +0200 Subject: [PATCH] ipa_auth and krb5_auth: when providing wrong password return PAM_AUTH_ERR When providing a wrong password for an existing IPA user, return PAM_AUTH_ERR (authentication failure) instead of PAM_CRED_ERR (failure setting user credentials). In order to do that it is necessary to translate PAM_CRED_ERR to PAM_AUTH_ERR once the providers are done. Resolves: https://github.com/SSSD/sssd/issues/5139 Reviewed-by: Sumit Bose (cherry picked from commit 49b9ca15866f59d6e3c1b572545d1b9e76625892) --- src/providers/ipa/ipa_auth.c | 16 ++++++++++++++++ src/providers/krb5/krb5_auth.c | 8 ++++++++ 2 files changed, 24 insertions(+) diff --git a/src/providers/ipa/ipa_auth.c b/src/providers/ipa/ipa_auth.c index 1bd017721..2858eb4f5 100644 --- a/src/providers/ipa/ipa_auth.c +++ b/src/providers/ipa/ipa_auth.c @@ -271,6 +271,14 @@ static void ipa_pam_auth_handler_krb5_done(struct tevent_req *subreq) return; } + /* PAM_CRED_ERR is used to indicate to the IPA provider that trying + * password migration would make sense. From this point on it isn't + * necessary to keep this status, so it can be translated to PAM_AUTH_ERR. + */ + if (state->pd->pam_status == PAM_CRED_ERR) { + state->pd->pam_status = PAM_AUTH_ERR; + } + done: /* TODO For backward compatibility we always return EOK to DP now. */ tevent_req_done(req); @@ -312,6 +320,14 @@ static void ipa_pam_auth_handler_flag_done(struct tevent_req *subreq) return; } + /* PAM_CRED_ERR is used to indicate to the IPA provider that trying + * password migration would make sense. From this point on it isn't + * necessary to keep this status, so it can be translated to PAM_AUTH_ERR. + */ + if (state->pd->pam_status == PAM_CRED_ERR) { + state->pd->pam_status = PAM_AUTH_ERR; + } + done: /* TODO For backward compatibility we always return EOK to DP now. */ tevent_req_done(req); diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c index 9a9250434..6ab39547f 100644 --- a/src/providers/krb5/krb5_auth.c +++ b/src/providers/krb5/krb5_auth.c @@ -1293,6 +1293,14 @@ static void krb5_pam_handler_auth_done(struct tevent_req *subreq) state->pd->pam_status = PAM_SYSTEM_ERR; } + /* PAM_CRED_ERR is used to indicate to the IPA provider that trying + * password migration would make sense. From this point on it isn't + * necessary to keep this status, so it can be translated to PAM_AUTH_ERR. + */ + if (state->pd->pam_status == PAM_CRED_ERR) { + state->pd->pam_status = PAM_AUTH_ERR; + } + /* TODO For backward compatibility we always return EOK to DP now. */ tevent_req_done(req); } -- 2.21.1