From 5af7fea571868eed16655adffcc9314911e12417 Mon Sep 17 00:00:00 2001 From: Lukas Slebodnik Date: Mon, 20 Oct 2014 22:21:25 +0200 Subject: [PATCH 75/87] PAM: Remove authtok from PAM stack with OTP We remove the password from the PAM stack when OTP is used to make sure that other pam modules (pam-gnome-keyring, pam_mount) cannot use it anymore and have to request a password on their own. Resolves: https://fedorahosted.org/sssd/ticket/2287 Reviewed-by: Nathaniel McCallum --- src/providers/krb5/krb5_auth.c | 14 ++++++++++++++ src/sss_client/pam_sss.c | 16 +++++++++++++++- 2 files changed, 29 insertions(+), 1 deletion(-) diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c index f539d5068ec29f7b06f734a3417864b43122b1b7..c96b7aee99da8c3d43a67a04bb1f67ee048d4705 100644 --- a/src/providers/krb5/krb5_auth.c +++ b/src/providers/krb5/krb5_auth.c @@ -1161,6 +1161,20 @@ static void krb5_auth_done(struct tevent_req *subreq) krb5_auth_store_creds(state->domain, pd); } + if (res->otp == true && pd->cmd == SSS_PAM_AUTHENTICATE) { + uint32_t otp_flag = 1; + ret = pam_add_response(pd, SSS_OTP, sizeof(uint32_t), + (const uint8_t *) &otp_flag); + if (ret != EOK) { + DEBUG(SSSDBG_CRIT_FAILURE, + "pam_add_response failed: %d (%s).\n", + ret, sss_strerror(ret)); + state->pam_status = PAM_SYSTEM_ERR; + state->dp_err = DP_ERR_OK; + goto done; + } + } + state->pam_status = PAM_SUCCESS; state->dp_err = DP_ERR_OK; ret = EOK; diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c index abe9b05478cbf480b3430dccd1951e9bfb0e29c1..d64e826daeb80be8998ef3b410047e3a44051b07 100644 --- a/src/sss_client/pam_sss.c +++ b/src/sss_client/pam_sss.c @@ -206,7 +206,7 @@ static size_t add_string_item(enum pam_item_type type, const char *str, return rp; } -static void overwrite_and_free_pam_items(struct pam_items *pi) +static void overwrite_and_free_authtoks(struct pam_items *pi) { if (pi->pam_authtok != NULL) { _pam_overwrite_n((void *)pi->pam_authtok, pi->pam_authtok_size); @@ -222,6 +222,11 @@ static void overwrite_and_free_pam_items(struct pam_items *pi) pi->pamstack_authtok = NULL; pi->pamstack_oldauthtok = NULL; +} + +static void overwrite_and_free_pam_items(struct pam_items *pi) +{ + overwrite_and_free_authtoks(pi); free(pi->domain_name); pi->domain_name = NULL; @@ -998,6 +1003,15 @@ static int eval_response(pam_handle_t *pamh, size_t buflen, uint8_t *buf, D(("do_pam_conversation failed.")); } break; + case SSS_OTP: + D(("OTP was used, removing authtokens.")); + overwrite_and_free_authtoks(pi); + ret = pam_set_item(pamh, PAM_AUTHTOK, NULL); + if (ret != PAM_SUCCESS) { + D(("Failed to remove PAM_AUTHTOK after using otp [%s]", + pam_strerror(pamh,ret))); + } + break; default: D(("Unknown response type [%d]", type)); } -- 1.9.3