From 31e57432537b9d248839159d83cfa9049faf192b Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Fri, 19 Jun 2020 13:32:30 +0200 Subject: [PATCH] pam_sss: make sure old certificate data is removed before retry MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit To avoid that certificates will be shown in the certificate selection which are not available anymore they must be remove before a new request to look up the certificates is send to SSSD's PAM responder. Resolves: https://github.com/SSSD/sssd/issues/5190 Reviewed-by: Pavel Březina --- src/sss_client/pam_sss.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c index e3ad2c9b2..6a3ba2f50 100644 --- a/src/sss_client/pam_sss.c +++ b/src/sss_client/pam_sss.c @@ -2467,6 +2467,8 @@ static int check_login_token_name(pam_handle_t *pamh, struct pam_items *pi, && strcmp(login_token_name, pi->cert_list->token_name) != 0)) { + free_cert_list(pi->cert_list); + pi->cert_list = NULL; if (retries < 0) { ret = PAM_AUTHINFO_UNAVAIL; goto done; -- 2.21.3