From d63172f1277c5ed166a22f04d144bf85ded4757c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pavel=20B=C5=99ezina?= Date: Fri, 9 Oct 2020 13:03:54 +0200 Subject: [PATCH 25/27] pam: add pam_gssapi_services option :config: Added `pam_gssapi_services` to list PAM services that can authenticate using GSSAPI Reviewed-by: Robbie Harwood Reviewed-by: Sumit Bose --- src/confdb/confdb.c | 12 +++++++++++ src/confdb/confdb.h | 4 ++++ src/config/SSSDConfig/sssdoptions.py | 1 + src/config/SSSDConfigTest.py | 6 ++++-- src/config/cfg_rules.ini | 3 +++ src/config/etc/sssd.api.conf | 2 ++ src/db/sysdb_subdomains.c | 13 ++++++++++++ src/man/sssd.conf.5.xml | 30 ++++++++++++++++++++++++++++ src/responder/pam/pamsrv.c | 21 +++++++++++++++++++ src/responder/pam/pamsrv.h | 3 +++ 10 files changed, 93 insertions(+), 2 deletions(-) diff --git a/src/confdb/confdb.c b/src/confdb/confdb.c index f981ddf1e..7f1956d6d 100644 --- a/src/confdb/confdb.c +++ b/src/confdb/confdb.c @@ -1581,6 +1581,18 @@ static int confdb_get_domain_internal(struct confdb_ctx *cdb, } } + tmp = ldb_msg_find_attr_as_string(res->msgs[0], CONFDB_PAM_GSSAPI_SERVICES, + "-"); + if (tmp != NULL) { + ret = split_on_separator(domain, tmp, ',', true, true, + &domain->gssapi_services, NULL); + if (ret != 0) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Cannot parse %s\n", CONFDB_PAM_GSSAPI_SERVICES); + goto done; + } + } + domain->has_views = false; domain->view_name = NULL; diff --git a/src/confdb/confdb.h b/src/confdb/confdb.h index 54e3f7380..7a3bc8bb5 100644 --- a/src/confdb/confdb.h +++ b/src/confdb/confdb.h @@ -144,6 +144,7 @@ #define CONFDB_PAM_P11_ALLOWED_SERVICES "pam_p11_allowed_services" #define CONFDB_PAM_P11_URI "p11_uri" #define CONFDB_PAM_INITGROUPS_SCHEME "pam_initgroups_scheme" +#define CONFDB_PAM_GSSAPI_SERVICES "pam_gssapi_services" /* SUDO */ #define CONFDB_SUDO_CONF_ENTRY "config/sudo" @@ -431,6 +432,9 @@ struct sss_domain_info { /* Keytab used by this domain. */ const char *krb5_keytab; + + /* List of PAM services that are allowed to authenticate with GSSAPI. */ + char **gssapi_services; }; /** diff --git a/src/config/SSSDConfig/sssdoptions.py b/src/config/SSSDConfig/sssdoptions.py index de96db6f4..f59fe8d9f 100644 --- a/src/config/SSSDConfig/sssdoptions.py +++ b/src/config/SSSDConfig/sssdoptions.py @@ -104,6 +104,7 @@ class SSSDOptions(object): 'p11_wait_for_card_timeout': _('Additional timeout to wait for a card if requested'), 'p11_uri': _('PKCS#11 URI to restrict the selection of devices for Smartcard authentication'), 'pam_initgroups_scheme' : _('When shall the PAM responder force an initgroups request'), + 'pam_gssapi_services' : _('List of PAM services that are allowed to authenticate with GSSAPI.'), # [sudo] 'sudo_timed': _('Whether to evaluate the time-based attributes in sudo rules'), diff --git a/src/config/SSSDConfigTest.py b/src/config/SSSDConfigTest.py index 323be5ed3..21fffe1b6 100755 --- a/src/config/SSSDConfigTest.py +++ b/src/config/SSSDConfigTest.py @@ -653,7 +653,8 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase): 'full_name_format', 're_expression', 'cached_auth_timeout', - 'auto_private_groups'] + 'auto_private_groups', + 'pam_gssapi_services'] self.assertTrue(type(options) == dict, "Options should be a dictionary") @@ -1030,7 +1031,8 @@ class SSSDConfigTestSSSDDomain(unittest.TestCase): 'full_name_format', 're_expression', 'cached_auth_timeout', - 'auto_private_groups'] + 'auto_private_groups', + 'pam_gssapi_services'] self.assertTrue(type(options) == dict, "Options should be a dictionary") diff --git a/src/config/cfg_rules.ini b/src/config/cfg_rules.ini index 773afd8bb..c6dfd5648 100644 --- a/src/config/cfg_rules.ini +++ b/src/config/cfg_rules.ini @@ -139,6 +139,7 @@ option = pam_p11_allowed_services option = p11_wait_for_card_timeout option = p11_uri option = pam_initgroups_scheme +option = pam_gssapi_services [rule/allowed_sudo_options] validator = ini_allowed_options @@ -437,6 +438,7 @@ option = wildcard_limit option = full_name_format option = re_expression option = auto_private_groups +option = pam_gssapi_services #Entry cache timeouts option = entry_cache_user_timeout @@ -831,6 +833,7 @@ option = ad_backup_server option = ad_site option = use_fully_qualified_names option = auto_private_groups +option = pam_gssapi_services [rule/sssd_checks] validator = sssd_checks diff --git a/src/config/etc/sssd.api.conf b/src/config/etc/sssd.api.conf index 623160ffd..f46f3c46d 100644 --- a/src/config/etc/sssd.api.conf +++ b/src/config/etc/sssd.api.conf @@ -80,6 +80,7 @@ pam_p11_allowed_services = str, None, false p11_wait_for_card_timeout = int, None, false p11_uri = str, None, false pam_initgroups_scheme = str, None, false +pam_gssapi_services = str, None, false [sudo] # sudo service @@ -199,6 +200,7 @@ cached_auth_timeout = int, None, false full_name_format = str, None, false re_expression = str, None, false auto_private_groups = str, None, false +pam_gssapi_services = str, None, false #Entry cache timeouts entry_cache_user_timeout = int, None, false diff --git a/src/db/sysdb_subdomains.c b/src/db/sysdb_subdomains.c index 5b42f9bdc..bfc6df0f5 100644 --- a/src/db/sysdb_subdomains.c +++ b/src/db/sysdb_subdomains.c @@ -184,6 +184,8 @@ struct sss_domain_info *new_subdomain(TALLOC_CTX *mem_ctx, dom->homedir_substr = parent->homedir_substr; dom->override_gid = parent->override_gid; + dom->gssapi_services = parent->gssapi_services; + if (parent->sysdb == NULL) { DEBUG(SSSDBG_OP_FAILURE, "Missing sysdb context in parent domain.\n"); goto fail; @@ -241,6 +243,17 @@ check_subdom_config_file(struct confdb_ctx *confdb, sd_conf_path, CONFDB_DOMAIN_FQ, subdomain->fqnames ? "TRUE" : "FALSE"); + /* allow to set pam_gssapi_services */ + ret = confdb_get_string_as_list(confdb, subdomain, sd_conf_path, + CONFDB_PAM_GSSAPI_SERVICES, + &subdomain->gssapi_services); + if (ret != EOK && ret != ENOENT) { + DEBUG(SSSDBG_OP_FAILURE, + "Failed to get %s option for the subdomain: %s\n", + CONFDB_PAM_GSSAPI_SERVICES, subdomain->name); + goto done; + } + ret = EOK; done: talloc_free(tmp_ctx); diff --git a/src/man/sssd.conf.5.xml b/src/man/sssd.conf.5.xml index d247400bf..db9dd4677 100644 --- a/src/man/sssd.conf.5.xml +++ b/src/man/sssd.conf.5.xml @@ -1706,6 +1706,35 @@ p11_uri = library-description=OpenSC%20smartcard%20framework;slot-id=2 + + pam_gssapi_services + + + Comma separated list of PAM services that are + allowed to try GSSAPI authentication using + pam_sss_gss.so module. + + + To disable GSSAPI authentication, set this option + to - (dash). + + + Note: This option can also be set per-domain which + overwrites the value in [pam] section. It can also + be set for trusted domain which overwrites the value + in the domain section. + + + Example: + +pam_gssapi_services = sudo, sudo-i + + + + Default: - (GSSAPI authentication is disabled) + + + @@ -3780,6 +3809,7 @@ ldap_user_extra_attrs = phone:telephoneNumber ad_backup_server, ad_site, use_fully_qualified_names + pam_gssapi_services For more details about these options see their individual description in the manual page. diff --git a/src/responder/pam/pamsrv.c b/src/responder/pam/pamsrv.c index 1f1ee608b..0492569c7 100644 --- a/src/responder/pam/pamsrv.c +++ b/src/responder/pam/pamsrv.c @@ -327,6 +327,27 @@ static int pam_process_init(TALLOC_CTX *mem_ctx, } } + ret = confdb_get_string(pctx->rctx->cdb, pctx, CONFDB_PAM_CONF_ENTRY, + CONFDB_PAM_GSSAPI_SERVICES, "-", &tmpstr); + if (ret != EOK) { + DEBUG(SSSDBG_FATAL_FAILURE, + "Failed to determine gssapi services.\n"); + goto done; + } + DEBUG(SSSDBG_TRACE_INTERNAL, "Found value [%s] for option [%s].\n", tmpstr, + CONFDB_PAM_GSSAPI_SERVICES); + + if (tmpstr != NULL) { + ret = split_on_separator(pctx, tmpstr, ',', true, true, + &pctx->gssapi_services, NULL); + if (ret != EOK) { + DEBUG(SSSDBG_MINOR_FAILURE, + "split_on_separator() failed [%d]: [%s].\n", ret, + sss_strerror(ret)); + goto done; + } + } + /* The responder is initialized. Now tell it to the monitor. */ ret = sss_monitor_service_init(rctx, rctx->ev, SSS_BUS_PAM, SSS_PAM_SBUS_SERVICE_NAME, diff --git a/src/responder/pam/pamsrv.h b/src/responder/pam/pamsrv.h index 24d307a14..730dee288 100644 --- a/src/responder/pam/pamsrv.h +++ b/src/responder/pam/pamsrv.h @@ -62,6 +62,9 @@ struct pam_ctx { int num_prompting_config_sections; enum pam_initgroups_scheme initgroups_scheme; + + /* List of PAM services that are allowed to authenticate with GSSAPI. */ + char **gssapi_services; }; struct pam_auth_req { -- 2.21.3