dpward / rpms / sssd

Forked from rpms/sssd 3 years ago
Clone

Blame SOURCES/0018-krb5-do-not-cache-ccache-or-password-during-preauth.patch

836b22
From 895aa34af41cc76aaac78c3cb74c68eeeb31a1d9 Mon Sep 17 00:00:00 2001
836b22
From: Sumit Bose <sbose@redhat.com>
836b22
Date: Fri, 15 May 2020 10:43:46 +0200
836b22
Subject: [PATCH] krb5: do not cache ccache or password during preauth
836b22
836b22
The PAM preauth step is mainly used to determine which authentication
836b22
methods (single factor, two factor, Smartcard) are available for the
836b22
user. It does not make sense to try to store the password hash or the
836b22
credential cache at this step because this information is not available
836b22
or not accurate at this step.
836b22
836b22
It might even cause issue is the credential cache name contains a random
836b22
component. This is typically used for file based credential caches
836b22
stored in the /tmp directory to avoid attacks to pre-create the file
836b22
since the name is known. Since the credential cache name still contains
836b22
the template for the random component 'XXXXXX' updating the credential
836b22
cache name in the cache during preauth destroys the information about
836b22
the currently used credential cache and upcoming authentications will
836b22
create a new one.
836b22
836b22
This causes issues with screen-savers or screen-lock where every
836b22
unlocking creates a new credential cache file and not updates the
836b22
existing one as it is expected. Another case is if a user logs in
836b22
multiple times to the same host, e.g. with ssh. Here it is expected as
836b22
well that the first session will create a new credential cache file
836b22
while all additional sessions will reuse it and only update the TGT in
836b22
the existing credential.
836b22
836b22
Resolves: https://github.com/SSSD/sssd/issues/5160
836b22
836b22
Reviewed-by: Alexey Tikhonov <atikhonov@redhat.com>
836b22
(cherry picked from commit 11435b1060675339263ce0a2a546cc44ab9bd576)
836b22
---
836b22
 src/providers/krb5/krb5_auth.c | 7 +++++++
836b22
 1 file changed, 7 insertions(+)
836b22
836b22
diff --git a/src/providers/krb5/krb5_auth.c b/src/providers/krb5/krb5_auth.c
836b22
index 6ab39547f..b83e59092 100644
836b22
--- a/src/providers/krb5/krb5_auth.c
836b22
+++ b/src/providers/krb5/krb5_auth.c
836b22
@@ -1089,6 +1089,13 @@ static void krb5_auth_done(struct tevent_req *subreq)
836b22
                               kr->srv, PORT_WORKING);
836b22
     }
836b22
 
836b22
+    if (pd->cmd == SSS_PAM_PREAUTH) {
836b22
+        state->pam_status = PAM_SUCCESS;
836b22
+        state->dp_err = DP_ERR_OK;
836b22
+        ret = EOK;
836b22
+        goto done;
836b22
+    }
836b22
+
836b22
     /* Now only a successful authentication or password change is left.
836b22
      *
836b22
      * We expect that one of the messages in the received buffer contains
836b22
-- 
836b22
2.21.1
836b22