|
 |
1bb595 |
From 3ed254765fc92e9cc9e4c35335818eaf1256e0d6 Mon Sep 17 00:00:00 2001
|
|
|
1bb595 |
From: Sumit Bose <sbose@redhat.com>
|
|
|
1bb595 |
Date: Wed, 3 Jun 2020 20:36:54 +0200
|
|
|
1bb595 |
Subject: [PATCH 22/22] pam_sss: special handling for gdm-smartcard
|
|
|
1bb595 |
|
|
|
1bb595 |
The gdm-smartcard service is special since it is triggered by the
|
|
|
1bb595 |
presence of a Smartcard and even in the case of an error it will
|
|
|
1bb595 |
immediately try again. To break this loop we should ask for an user
|
|
|
1bb595 |
input and asking for a PIN is most straight forward and would show the
|
|
|
1bb595 |
same behavior as pam_pkcs11.
|
|
|
1bb595 |
|
|
|
1bb595 |
Additionally it does not make sense to fall back the a password prompt
|
|
|
1bb595 |
for gdm-smartcard so also here a PIN prompt should be shown.
|
|
|
1bb595 |
|
|
|
1bb595 |
Resolves: https://github.com/SSSD/sssd/issues/5190
|
|
|
1bb595 |
|
|
|
1bb595 |
Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
|
|
|
1bb595 |
---
|
|
|
1bb595 |
src/sss_client/pam_sss.c | 16 ++++++++++++----
|
|
|
1bb595 |
1 file changed, 12 insertions(+), 4 deletions(-)
|
|
|
1bb595 |
|
|
|
1bb595 |
diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
|
|
|
1bb595 |
index 7e59f0487..093e53af5 100644
|
|
|
1bb595 |
--- a/src/sss_client/pam_sss.c
|
|
|
1bb595 |
+++ b/src/sss_client/pam_sss.c
|
|
|
1bb595 |
@@ -1835,8 +1835,13 @@ static int prompt_sc_pin(pam_handle_t *pamh, struct pam_items *pi)
|
|
|
1bb595 |
struct pam_message m[2] = { { 0 }, { 0 } };
|
|
|
1bb595 |
struct pam_response *resp = NULL;
|
|
|
1bb595 |
struct cert_auth_info *cai = pi->selected_cert;
|
|
|
1bb595 |
+ struct cert_auth_info empty_cai = { NULL, NULL, discard_const("Smartcard"),
|
|
|
1bb595 |
+ NULL, NULL, NULL, NULL, NULL };
|
|
|
1bb595 |
|
|
|
1bb595 |
- if (cai == NULL || cai->token_name == NULL || *cai->token_name == '\0') {
|
|
|
1bb595 |
+ if (cai == NULL && SERVICE_IS_GDM_SMARTCARD(pi)) {
|
|
|
1bb595 |
+ cai = &empty_cai;
|
|
|
1bb595 |
+ } else if (cai == NULL || cai->token_name == NULL
|
|
|
1bb595 |
+ || *cai->token_name == '\0') {
|
|
|
1bb595 |
return PAM_SYSTEM_ERR;
|
|
|
1bb595 |
}
|
|
|
1bb595 |
|
|
|
1bb595 |
@@ -2188,6 +2193,9 @@ static int get_authtok_for_authentication(pam_handle_t *pamh,
|
|
|
1bb595 |
}
|
|
|
1bb595 |
}
|
|
|
1bb595 |
ret = prompt_sc_pin(pamh, pi);
|
|
|
1bb595 |
+ } else if (SERVICE_IS_GDM_SMARTCARD(pi)) {
|
|
|
1bb595 |
+ /* Use pin prompt as fallback for gdm-smartcard */
|
|
|
1bb595 |
+ ret = prompt_sc_pin(pamh, pi);
|
|
|
1bb595 |
} else {
|
|
|
1bb595 |
ret = prompt_password(pamh, pi, _("Password: "));
|
|
|
1bb595 |
}
|
|
|
1bb595 |
@@ -2496,7 +2504,7 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh,
|
|
|
1bb595 |
{
|
|
|
1bb595 |
int ret;
|
|
|
1bb595 |
int pam_status;
|
|
|
1bb595 |
- struct pam_items pi;
|
|
|
1bb595 |
+ struct pam_items pi = { 0 };
|
|
|
1bb595 |
uint32_t flags = 0;
|
|
|
1bb595 |
const int *exp_data;
|
|
|
1bb595 |
int *pw_exp_data;
|
|
|
1bb595 |
@@ -2570,7 +2578,8 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh,
|
|
|
1bb595 |
/*
|
|
|
1bb595 |
* Since we are only interested in the result message
|
|
|
1bb595 |
* and will always use password authentication
|
|
|
1bb595 |
- * as a fallback, errors can be ignored here.
|
|
|
1bb595 |
+ * as a fallback (except for gdm-smartcard),
|
|
|
1bb595 |
+ * errors can be ignored here.
|
|
|
1bb595 |
*/
|
|
|
1bb595 |
}
|
|
|
1bb595 |
}
|
|
|
1bb595 |
@@ -2588,7 +2597,6 @@ static int pam_sss(enum sss_cli_command task, pam_handle_t *pamh,
|
|
|
1bb595 |
quiet_mode);
|
|
|
1bb595 |
if (ret != PAM_SUCCESS) {
|
|
|
1bb595 |
D(("check_login_token_name failed.\n"));
|
|
|
1bb595 |
- return ret;
|
|
|
1bb595 |
}
|
|
|
1bb595 |
}
|
|
|
1bb595 |
|
|
|
1bb595 |
--
|
|
|
1bb595 |
2.21.3
|
|
|
1bb595 |
|